Subscribe To
Posts
All Comments
Call out for more Twitter Followers
New Facebook Company Page - Sysnet Global Solutions
PCI DSS in the Retail Sector
Furthermore, with the Internet being the fastest growing retail sector, many merchants are turning to this sales channel to attract a wider audience for their goods and services – however if systems are not fully secure, they could find themselves vulnerable to remote attacks from anywhere in the world.
PCI DSS compliance in practice
The following are some critical areas that are typical for a retail environment, but may be overlooked:
- Merchant Receipts: Although many new terminals now print the PAN truncated (displaying the first 6 and last four digits), older terminals may print the full PAN on merchant receipts. Therefore, merchant receipts are in scope. Furthermore, other physical media such as chargeback forms and physical faxes may be present. Any media containing the PAN must be handled, stored and disposed of in a secure manner. Ensure your organisation does not simply leave transaction receipts in public areas or place them in plastic bin bags to be thrown away; they should be treated the same as cash.
- Sales/Customer Services Team: If the merchant maintains an electronic point of sale system, the equipment may be vulnerable to ‘keyloggers’ either by hardware (connected to the keyboard and hidden from view behind the PC) or by malicious software (installed deliberately or accidentally) may capture keystrokes.
- Call Recordings: If calls are recorded. Storing the PAN in an encrypted format is permitted, however the storage of any CVV (sensitive authentication value) is prohibited by PCI DSS and must not be recorded.
- Post-authorisation: Storing sensitive authentication data post-authorisation is strictly prohibited by PCI DSS. Ensure sensitive authentication data is not stored after authorisation.
- Video Monitoring: Most CCTV footage is destroyed after a month, however under PCI DSS requirements access mechanism logs should be retained for at least 3 months.
- Indirectly Connected Devices: Any machines not involved in cardholder data processes, but are logically connected to devices that do process, store or transmit cardholder data will be in scope.
- Terminal/POS Responsibility: POS systems usually are mounted on underlying operating systems such as Windows 98, 2000, XP or later and should be included within an organisations PCI DSS project scope . However, this is often not considered.
- Private Networks: ‘Private’ networks provisioned by a service provider may actually be shared. Ensure that the perimeter device to the private network is not connecting out over the Internet.
‘PCI DSS is achievable with guidance and an effective roadmap’
Achieving PCI DSS compliance
Sysnet recommends that rather than taking the ‘traditional’ route and performing a gap analysis as the first step to achieving PCI DSS compliance, it would be more beneficial to conduct an initial scoping exercise – this will review all systems, which will shape the extent of the PCI DSS project.
A scoping exercise offers options to manage the size of the project by offering ‘as is’ and ‘what if’ scenarios to clearly demonstrate how change to the process impacts the scope. The organisation then has the opportunity to choose the option they feel is most appropriate to their situation and their business.
By adopting this approach, a significant reduction in the overall cost of the compliance exercise can be achieved, simply by reducing the number of systems, locations and employees who are subject to PCI DSS requirements. This will also make compliance review a more manageable process.
Sysnet have often achieved ten-fold reduction in the costs of an organisation’s initial and on-going compliance due to the adoption of this methodology. Although PCI DSS may seem a long and daunting process, with good planning and a clear road map supported by a experienced and pragmatic QSA partner, compliance can be achieved.
This will also put the business in a stronger position as there will be a greater understanding of how systems work within the organisation, and also the identified potential risk areas. Business should also consider that the financial and reputational costs of a data breach could be far higher than the implementation of a PCI project.
‘A commitment to protecting customer’s cardholder data 24/7 365 days a year’
Maintaining PCI DSS compliance
Once the people, processes and technology are in place, re-assessment should become far easier. Many businesses use PCI DSS as an opportunity to introduce new hardware and operating systems, and merge disparate business processes – it is therefore essential that a full scoping review is undertaken prior to engaging in any major project development. A commitment to PCI DSS is a commitment to protecting customer’s cardholder data 24/7, 365 days a year.
How can Sysnet help?
Sysnet QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.
Due to the challenges faced in this area Retail merchants should find the most time and cost effective route to compliance. Sysnet can assist with this by reducing the number of systems, locations and employees subject to PCI DSS compliance which will ultimately reduce the overall cost of achieving and maintaining compliance.
For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
PCI DSS compliance challenges for the Hospitality Sector
PCI DSS requirements are a confusing array of demands that take time, resource and money to meet. Within the hospitality sector there are numerous challenges to be faced, some of which can have straight forward answers whereas others may require more innovative solutions.
The hospitality sector is particularly vulnerable to cardholder data breach due to the various mechanisms used to facilitate bookings and payments. In an industry where customer service is of the utmost importance there have been a number of high profile data compromises which have seriously affected the brand credibility of the organisations involved.
PCI DSS compliance in practice
Businesses trading in the hospitality arena, and falling within the scope of PCI DSS should be aware of the following critical areas:-
- Call recordings which include cardholder data are within the scope of PCI DSS. This must be addressed in any compliance project;
- Storage of the Primary Account Number (PAN) on paper is still within the scope of compliance. Is your organisation taking steps to protected card data on paper or remove it all together? Have you confirmed whether your payment applications in use are PA DSS certified or have any plan to become certified?
- Does your company use pre-authorisation for incidental charges, or are you storing sensitive authentication data? This is strictly prohibited by PCI DSS;
- Storage of cardholder data within a booking and/or room management system often significantly increases the number of systems within the scope of PCI DSS.
It might sound strange but the key to PCI DSS compliance is not meeting the requirements. In fact, direct remediation of issues in order to achieve compliance is often the most complex and costly way of getting there! Companies seeking compliance should first seek to reduce their compliance scope to the smallest possible footprint. Sysnet have often achieved ten-fold reduction in the costs of a n organisation’s initial and on-going
compliance.
Sysnet recommends that rather than taking the ‘traditional’ route and performing a gap analysis as the first step to achieving PCI DSS compliance, it would be more beneficial to conduct a scope reduction exercise. This would provide blueprints of how your card payment processing systems could look based upon different scope reduction options.
By adopting this approach, a significant reduction in the overall cost of the compliance exercise can be achieved, simply by reducing the number of systems, locations and employees who are subject to PCI DSS requirements. This will also make compliance review a more manageable process. Following on from the above exercise you will receive various options by which the scope of compliance could be reduced.
The recommendations will also provide insight as to how the scope of compliance may look once that solution, process or approach has been implemented. For example, on completion of the scope reduction exercise you would need to complete the appropriate Self Assessment Questionnaire (SAQ). This provides you with the flexibility of choosing the solution that fits your business.
Maintaining PCI DSS compliance
True information security can only be achieved through the implementation of a comprehensive data security programme. It needs to be continually updated to reflect industry best practices such as PCI DSS or ISO 27001 and accommodate the need for continuous workforce education and the implementation of proven technologies to protect data assets.
A comprehensive data security programme is one that involves all areas of the business with the aim of securing valuable business information from the moment it enters the organisation until it leaves or is destroyed. The three most vital business components that need to be addressed are people, processes and technology.
People: People are often viewed as the weak link in the information security chain. Education is critical to ensuring your employees are familiar with your business security policies and procedures and that they know exactly what is expected of them when it comes to protecting the information assets of the business.New employees should receive information security training on induction with mandatory periodic refresher courses for existing employees.
If your business is part of a wider group or franchise, take advantage of group training events and materials. Franchise owners should ensure consistency across all locations by providing such training aids and group policies.
Processes: Many security weaknesses manifest themselves in poor information security management processes and insure system architecture. A thorough analysis of policies and procedures is required to ensure that your business operates in a secure manner.
Simple steps that can be taken include the identification of information that isn’t required by the business as well as the reduction of the number of applications and systems that store or transmit sensitive data. Taking these steps can also go a long way towards reducing the scope and costs of compliance audits.
Technology: Poorly implemented technology solutions can pose significant risks to data security. A thorough analysis of existing as well as proposed systems and their implementation is critical to identifying how suitable and capable a technology for your organisation’s needs.
You can also reduce the burden of protecting information within your business by choosing appropriate partners who take on the responsibility of managing the data. However, the merchant retains compliance responsibility if functions are outsourced. Technologies such as tokenisation and end-to-end encryption greatly reduce the scope of information security requirements.
Merchants should be aware that as of July 2012, MasterCard has mandated that all European merchants and service providers using 3rd party payment applications must use PA DSS compliant applications. Full listings of compliant providers are available on the Security Standards Council’s website, http://www.pcisecuritystandards.org/.
How can Sysnet help?
Sysnet’s QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.
Sysnet have taken this experience and built an extensive knowledge base which help us to better assist you with the challenges you face.
For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
PCI DSS compliance challenges for the E-commerce Sector
It is not surprising therefore, that the E-commerce sector faces numerous challenges in order to protect itself from the growing threats from malicious individuals and organised crime looking to identify and exploit weaknesses in the payment process. The 6 leading worldwide major payment card brands established the Payment Card Industry Data Security Standards (PCI DSS) as a standard to protect cardholder data from such attacks.
The PCI DSS contain 12 requirements that are grouped within 6 core principles. If an organisation processes, stores or transmits cardholder data they will be in scope for PCI DSS. All E-commerce systems will need to be considered. In many circumstances, business owners in this industry do not have the resources or the technical knowledge to help reduce the risk of a data breach. Nevertheless, even large E-commerce merchants with skilled personnel also suffer breaches, one merchant was responsible for the loss of over 50 million card numbers.
PCI DSS compliance in practice
The first part of any PCI DSS compliance assessment is scoping. Without a thorough analysis of cardholder data flows (physical or electronic), a PCI project could miss vital areas, for example legacy systems, or over-engineer systems upgrades because the process wasn’t fully understood. The following are some critical areas that are typical for E-commerce environments, but could be overlooked:
- Log Files: Many E-commerce systems conduct online authorisations, with the full PAN being stored once the transaction has been completed. PCI DSS requires that PAN must be made unreadable (truncation, hashing, tokenised or by using strong encryption). Places that potentially could store this type of data, but are often overlooked include transaction files, debug files, back-up files, history files or application logs.
- Software Development: Companies who have developed their own web applications should
employ a developer who has experience in secure coding practices. It is essential that the coding is secure, as a line of insecure code could facilitate an entry point for a malicious user. An often overlooked area is the use of third party tools/libraries/scripts. Vulnerabilities in third party code may open a backdoor to E-commerce systems to drop malicious files or provide an entry point for an unauthorised user to steal database information containing cardholder data and/or other sensitive information. - Off-the-shelf packages: Organisations using third party payment applications are reliant on the security of these applications. Smaller retailers may purchase E-commerce systems which are in fact open source websites with minor modifications. These packages are often attacked as the underlying source code is publicly available and provides information on the security mechanism (or lack of) used. This may open holes within the E-commerce system to plant viruses, trojans or even worse, provide a malicious user with an opportunity to directly query databases that may contain a collection of cardholder and other sensitive customer information.
- Third Parties: A merchant is responsible for any agent they engage on their behalf. If an organisation relies on a third party to collect cardholder data, the third party must undergo a PCI DSS assessment, and if the third party is not PCI DSS compliant then the merchant is not compliant either.
- Post-authorisation: Storing sensitive authentication data (CVV/CV2) post-authorisation is strictly prohibited by PCI DSS. Indirectly Connected Devices: Any machines not involved in cardholder data processes but are logically connected to devices that do process, store or transmit cardholder data will be in scope. situation and their business. Although PCI DSS seems a long and daunting process with good planning and a clear road map, supported by an experienced and pragmatic QSA partner, compliance can be achieved. This will also put the business in a stronger position as there will be a greater understanding of how
systems work within the organisation, and also the identified potential risk areas. Business should also consider that the financial and reputational costs of a data breach could be far higher than the implementation of a PCI project.
‘PCI DSS is achievable with guidance and an effective roadmap’
Achieving PCI DSS
Some companies may first conduct a gap analysis and then remediate the problems. Sysnet recommends an initial scoping exercise is undertaken - this will review all systems, which will shape the extent of the PCI DSS project. It will also highlight areas of current risk that potentially could be removed with replacement systems or secure enhancements.
A scoping exercise offers options to manage to the size of the project by offering ‘as is’ and ‘what if’ scenarios to clearly demonstrate how change to the process impacts the scope. The organisation then has the opportunity to choose the option they feel is most appropriate to their
‘A commitment to protecting customer’s cardholder data 24/7 365 days a year’
Maintaining PCI DSS compliance Once the people, processes and technology are in place, re-assessment should become far easier. Many businesses use PCI DSS as an opportunity to introduce new hardware and operating systems, and merge disparate business processes – it is therefore essential that a full scoping review is undertaken
prior to engaging in any major project development. A commitment to PCI DSS is a commitment to protecting
customer’s cardholder data 24/7, 365 days a year.
How can Sysnet help?
Sysnet’s QSA consultants have significant experience with helping organisations attain and remain compliant with the PCI DSS. We have worked closely with many high profile organisations and have a wealth of experience in dealing with a varied range of payment applications that are currently being used.
For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
Data Breaches – Compulsory Disclosure?
EU Justice Minister Viviane Reding, has recently announced that she is formulating a policy that will mandate any business trading in the EU or who targets EU residents, to notify their customers, and the regulatory authorities, if they suffer a data breach. The intention being to ensure that all businesses handling sensitive data take their obligations seriously.
This action follows the recent spate of attacks on some high profile organisations, where millions of personal data records were subject to data hacks.
Following the introduction of the EU e-privacy directive on 26th May 2011, Telecoms, and Internet Service Providers are already subject to mandatory data breach disclosure, and the Minister is now seeking to widen these powers to include all sectors.
The legislation has the power to impose penalties and legal sanctions for any infringement and it is expected that these strong ’incentives‘, will encourage businesses to conduct serious risk assessments regarding their storage of sensitive personal data, and implement appropriate security measures to protect the confidentially and integrity of this information.
It should also be noted that the UK Information Commissioner has regulatory powers to investigate and penalise in cases of deliberate and persistent misconduct.
With all of the increasing media and regulatory interest in data security, how does a business go about protecting its’ key assets, particularly customer databases and avoid a data breach?
How can Sysnet Global Solutions help?Sysnet offers a Security Assessment service, which provides a unique and flexible approach encompassing Incident Response, Audit, Computer Forensics and Penetration testing.
The assessment will be tailored to the individual needs of the business, and can include reviews of encryption, wireless networking, portable device security, contingency plans, security awareness, system configuration and premises vulnerabilities.
If a business takes card payments, they will fall under the requirements of the Payments Card Industry – Data Security Standards (PCI-DSS) – However the Sysnet Security Assessment service goes into far more detail, so that the customer can feel confident that they are in control of their security position.Additionally Sysnet offer an on-demand, computer incident response service, whereby in the event of an incident, Sysnet can be on call ready to provide advice and visit the affected site to help contain the incident, offer guidance and if required, conduct a forensic investigation. This service is pre-arranged and also includes an initial visit to the site to help assist in highlighting security vulnerabilities, and offering remediation planning to overcome these weaknesses.
Whilst no business can be wholly safe from a data incident, by following the guidance given by the Sysnet CFS team, businesses can reduce their exposure to receiving such an attack, but also will be in a far better position to respond in a positive and speedy manner, to ensure continuance of trading and minimisation of brand and reputational damage.
Another key area is the storage of unencrypted card data - under PCI-DSS all card data should be securely deleted from computer systems, or if deemed necessary for operational requirements, then the information needs to be stored in a suitable encrypted format. In all too many cases, when a forensic investigation is undertaken following a data breach, card information is located in clear text.
This can be due to a number of circumstances, forgotten databases, legacy systems deemed out of scope for PCI accreditation, or back-up files converting encrypted information into readable format. Whatever the reason, storing unencrypted data will heighten the risk, and invalidate any PCI compliance certification.
To mitigate operating with such vulnerability, Sysnet are able to offer their Cardholder Data Discovery Service, which can scan server, PCs, and storage media for unencrypted card numbers. Once the scan has been completed, and if any residual information has been identified, we can safely erase the data, help prevent it from being stored or if preferred, give guidance as to how the records can be held securely to conform to the PCI-DSS.Sysnet bring the pragmatic mindset of a forensic investigator together with knowledge of real world hacking to give you the edge in security management. For more information please contact us by calling 0844 562 3147 (UK) or +353 (0)1 495 1300 (Rest of the World) or by completing our Online Enquiry Form or Request a Call Back Form
Sysnet to present at IPSO Data Breach Awareness Workshop on June 14th
Ian Wright, Senior Consultant and Benn Morris, Manager Computer Forensic & Security at Sysnet Global Solutions will present on the topics of describing an incident, overview of the internal and external threats and preparing and planning for a data breach. Ian Wright has over 30 years experience in the banking industry. For the last 5 years he was Head of Fraud for a major UK acquirer. He brings a unique insight into the issues faced by merchants and card processors. After working for West Yorkshire Police Hi-Tech Crime Unit, Benn Morris moved into the private sector conducting forensic investigations, incident response and security assessments for many high profile corporate organisations.
Also presenting at the event are Úna Dillon, Head of IPSO Card Services and Detective Sergeant Matthew Sheridan, Garda Bureau of Fraud Investigations.
The briefing will take place at the Radisson Blue Hotel, Golden Lane, Dublin 2, and will commence at 10.00am and will conclude at 1.00pm.
To register a place at this workshop, please click here or go to the IPSO website www.ipso.ie and follow the link.
Sysnet launch Newsletter, Sysnet Secure
To view the newsletter, please click here.
Common Cyber Crimes facing the Payments Industry
The favoured methodology of website hackers is to exploit poorly written and unsecured websites and then seek to locate the credit card information held within. By focusing on weaker websites in this way, and ensuring that the total level of card fraud is not too high, many of the hackers simply take the ‘low hanging fruit’ and go unnoticed until it is too late.
Often exploiting the same common vulnerability across multiple different hosts, for example an authentication weakness in a popular shopping cart, allows the hacker to simply trawl the Internet for those websites that use that shopping cart to exploit and collect the reward. No organisation wants to fall foul to cyber crimes and therefore in order for them to protect themselves against a potential information security breach, certain steps should be taken to reduce susceptibility to the most common types of breaches.
Legislation
The unlawful access to a system that is used by a merchant is on the whole in breach of section 1 of the Computer Misuse act and in the real world, stealing of cardholder data is more than likely to be associated with the stealing of PII (Personally Identifiable Information). Therefore, once a data breach has occurred, it can easily escalate from an exercise where the card brands are requesting their card numbers to be returned, to the local law enforcement agency mounting a personal data loss investigation.
Cardholder data breaches, that are the result of cyber crimes, are increasing raising interest within the various law enforcement and data protection agencies around the EU. Although currently each member state takes a different view on how to deal with the consequences of cyber crimes, growing public awareness on the issue could see law enforcement take a heavier, more legal based role in the near future.
Protecting Your Organisation
There are no hard and fast rules to ensure that your website is safe and secure from the persistent threat of cyber crimes. However, there are some actions that organisations can take to help avoid large fines for the misuse and loss of cardholder data. Below are 10 helpful tips for organisations seeking to become more proactive;
- Get PCI DSS compliant. Look at your merchant agreement with your acquirer, it will state that you need to be PCI DSS compliant;
- Plan, Plan, Plan – you don’t know when the event might happen but an incident response plan and regular testing of this plan will pay dividends in the event of a breach;
- Suppliers - know who your suppliers are and also what cardholder data they may or may not be processing on your behalf. They will need to be PCI DSS compliant and could easily be your weak point in the protection of cardholder data;
- PFI Company – if there is a breach, one may be turning up at your door and asking questions that you might not immediately know the answer to. Pre-appointing a PFI and talking to them about what happens in a breach will iron out any potential problems;
- PR Response - should the worst happen and your businesses’ reputation is on the line, have a pre-planned public response; a response prepared beforehand is far better than a response drafted in the heat of the moment;
- Policy – one of the easiest ways to mitigate the risk that a breach represents is to ensure that policies and procedures are robust enough to reduce the chance of a cardholder breach and also have the flexibility to respond if a breach occurs;
- Data Protection – the legal and compliance authorities are becoming more interested in ensuring that the cardholder data that merchants process and the personal information they obtain is kept within the realms of the merchant, and does not get into the hands of the hackers. Whilst the card brands could fine an organisation for the miss-use and/or loss of cardholder data, the data protection authorities can also stop a merchant processing cardholder data;
- Acquisition of evidence – should an external party be required to investigate a breach, a lot of time, energy and effort can be saved by allowing the external investigative party to investigate and acquire the data. The more that the data is tampered with before a forensic investigation is carried out, the less information can be found out about what actually happened;
- Check your liabilities – ensure that you have the correct contracts; it may be that your 3rd party has provided you with a ‘managed’ firewall but what does that mean? You may only find out when a hacker has already taken your customer’s cardholder information away;
- Don’t Panic –If the worst should happen, act with a clear head and don’t make rushed decisions that could affect the outcome at a later stage.
For further information on our Incident Response, Forensic Security or PCI Forensic Investigator Consultancy Services, please contact one of our Sales representatives by calling 0844 562 3147 (UK) or +353 (0)1 495 1300 (Rest of the World) or by completing our Online Enquiry Form or Request a Call Back Form.
The UK Data Protection Act (1998) requires any organisations that receives, transmits, stores or processes personal information to comply with the eight basic principles contained in Schedule 1 of the Act.
The essence of the eight principles can be summarised as follows:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for lawful purposes
- Personal data shall be adequate, relevant and not excessive
- Personal data shall be accurate and kept up to date
- Personal data shall not be kept longer than necessary
- Personal data shall be processed in accordance with the rights of data subjects under this Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing
- Personal data shall not be transferred to a country or territory outside the EU except in specific instances where equivalency of safe-harbour applies
Compliance with the Data Protection Act is a legal requirement for all organisations operating in the United Kingdom which collect, store or process personally identifiable information. Ensuring ongoing compliance with the Act is therefore an essential management activity for any company or organisation which engages is the abovementioned activities.
In addition to potential penalties that may be imposed by the courts or the Information Commissioner’s Office, most modern organisations are reliant on their brand reputation to attract and retain customers and partners in the private sector or to achieve their organsational or statutory goals in the public sector.
As such a breach of data privacy could have far wider consequences than any sanction imposed by the Information Commissioner or any other regulatory body and could compromise a key commercial relationship or prejudice your organisation’s ability to win and retain customers.
Achieving compliance with the Data Protection Act should begin with the selection of an expert third party advisor and is achievable through a regime of analysis and assessment, training and awareness initiatives, organsational support and policy implementation all of which need to be underpinned by appropriate technological architectural and infrastructure investments.
In conjunction with the expert advisor, the next step will be assess your organisation against the eight principles of Schedule One of the Act and determine a remediation plan that will close off any shortcomings identified in the most pragmatic and cost efficient manner.
This is usually achieved by a process involving the following steps:
- Scoping of private data environment
- Gap analysis and assessment of current level of compliance
- Remediation phase to address identified gaps
- Re-assessment and issue of Report on Compliance
The expert advisor will also recommend how best to deal with subject data requests by data subjects whose personal data your organisation controls.
How can Sysnet Global Solutions help?
Sysnet has a team of information security consultants whom are well versed in the governance, risk and compliance of personal data. Sysnet is able to provide advice on how to protect your data as well as distributing this data in a safe and a secure manner. Our consultants have strong experience in dealing with data protection issues and how the movement and the storage of data can impact your business operational tasks. Not only can Sysnet provide consultancy advice on how to protect your data but also what to do if there is a data breach and how best to contain any unfortunate events that may happen.
For further information on our Information Security Services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
Overview of the main changes between v1.2.1 and v2.0 of the PCI DSS
PCI DSS v2.0 was officially released in October 2010 and demonstrated that changes had been made mainly for clarity to maintain the quality of assessments. There have been numerous changes, many of which seek to be more specific around test procedures that are required. The other main changes to the standard are highlighted below:
- Scoping;
- Inclusion of Virtualisation;
- Storage;
- Time Synchronisation;
- Scanning;
- Wireless and IDS/IPS;
- Evolving Requirements: Applications.
Scoping
As with any PCI DSS assessment, it is important that proper scoping is conducted. Changes have been made to ensure that the scope has been clearly defined with emphasis on the following points:
- Requirement to identify all locations of cardholder data flow;
- Explicit requirement for merchants / service providers to identify and explicitly define all of the locations and flows of cardholder data annually before they begin their assessment;
- Documentation must be presented that shows how the PCI DSS scope was confirmed and the scoping results so that the assessor can review and accept as evidence if appropriate;
- Consider all areas of stored electronic and physical media containing cardholder data. This should include (but not be limited to) databases, mail orders, faxes, call recordings, emails, temporary files and log files;
- “System components” also include any virtualisation components.
- Organisations may need to be more proactive and spend more time understanding where cardholder data is processed, stored or transmitted;
- Expect the QSA to spend more time verifying the scope, specifically the data flows and storage locations;
- Expect to be asked to present evidence of how the controls are adequate to segment the scope, and prove that testing has been conducted outside of this scope to ensure that there is no additional pollution.
Virtualisation is now officially recognised and therefore all virtualised system components should be reviewed to determine whether they are in scope for PCI DSS. If they are in scope, then the PCI DSS controls will apply depending on the context of the components. For example:
- Virtualised servers would require all PCI DSS requirements applicable for servers;
- Virtualised firewalls and routers would require all PCI DSS requirements applicable for firewalls and routers;
- Virtualised system components would require all PCI DSS requirements applicable for that particular type of system component.
- Including virtualised system components within the scope should not come as a surprise. If virtualisation technologies have not been included in the scope before, then your QSA may spend time reviewing the setup and corresponding documentation for that component;
- Sysnet have always applied the requirements in this manner, so there should be minimal uplift to any customers engaged with our QSA’s.
Emphasis has been made to prevent access to both truncated and hashed versions of the PAN as well as the PAN itself. With special tools, it takes a trivial amount of time and effort to use these two elements to generate a PAN.
Review the following:
- Implementation of controls to ensure that the hashed and truncated values cannot be correlated to reconstruct the original PAN;
- Whether you need to keep both truncated and hashed versions –if you don’t need it, don’t store it.
Main impact:
- Adding additional controls may provide additional expenses;
- It may prove difficult to add additional controls depending on your implementation;
- Storage of both versions may be by design currently, and making this change may prove difficult. Further work would need to be conducted to understand the risk and impact around any change.
It is important to ensure that your clocks are accurate, in order to aid any forensic work. To support this, there must be clear and documented processes for distributing time through your cardholder data environment.
Previously there has been a bias towards using NTP. In the new standard references to any particular technology is removed.
Whatever time synchronisation you decide to use, make sure you use approved sources and have the distribution of time documented appropriately.Main impact:
- Flexibility to use other time synchronisation technologies that may be more suitable for your environment;
Scanning
This is a very important area to consider. PCI DSS requirement 11.2 is now split into further subtests to explicitly conduct internal (11.2.1) and external (11.2.2) test procedures for vulnerability scanning. Why? In many cases organisations may rely on external vendors to conduct external testing. This change may indicate that organisations fall into trouble when required to demonstrate internal testing.
- Conduct internal testing at least on a quarterly basis;
- Conduct internal rescans until there is a passing scan;
- Document scanning procedures and provide document evidence of the outcome of both internal and external scans.
- For those who have not conducted internal testing you should start this process as soon as possible. Failure to demonstrate the required internal testing evidence could jeopardise your next PCI compliance review.
Organisation should not neglect the fact that rogue wireless devices are easy to implement and therefore post a significant threat. A few changes have been made:
- PCI DSS requirement 2.1.1 is split into further test procedures, but something is missing? There is no reference to WPA (or in fact any wireless technology);
- PCI DSS requirement 11.1 includes “physical/logical inspections of system components and infrastructure”;
- PCI DSS v2.0 mandates that IDS/IPS may be configured to monitor the perimeter and all critical points within the cardholder data environment.
- Organisations will need to give consideration to moving to WPA2 some serious thought. Or they will need to bolster the current wireless implementations with enterprise level security rather than just using Pre-Shared Keys (PSK). A better position may be to, ask yourself “Is sending cardholder data over wireless the best way”. Again, if you don’t need it then don’t use it;
- Physical/logical inspections of system components provides greater flexibility to meet the test procedures, especially for small organisations with few resources, who currently may not be knowledgeable in using specialist wireless scanning and IDS/IPS software;
- Wireless IDS/IPS systems at critical points in the CDE, may mean less system management overheads and potentially less false positives.
Two extra requirements that PCI DSS v2.0 has included to spice things up will keep those involved with software development and patching busy:
- PCI DSS requirement 6.2 not only requires the ability to identify security vulnerabilities, but also to assign a risk ranking;
- PCI DSS 6.5 has been refined as a reminder that the requirements apply to all software and not just web applications. Furthermore, 6.5.6 requires addressing of “High” risk vulnerabilities, which have been identified using the new risk ranking processes in PCI DSS requirement 6.2.
- Organisations must start developing risk ranking processes at their earliest opportunity;
- This risk ranking could also work in your favour. The standard risk ranking provided by the vendors may not be appropriate within your environment. This may allow additional time for testing and scheduled rollout rather than reactionary installation;
- Organisations will be required to spend time demonstrating proper secure software development lifecycle for all internally-developed applications within scope for PCI DSS.
To the relief for most organisations, PCI DSS will have minimal impact. The changes made have been for clarity of the test procedures and in recognition of advancing technology and threats. The main points are:
- Organisations should properly scope where their cardholder data is. It is difficult to secure the data if it is not known where it is;
- Expect your QSA to spend more time verifying the scope, reviewing the current technologies (which may now be considered not fit for purpose) and gathering evidence.
Will there be future updates to the PCI DSS?
The PCI DSS now uses a three-year life cycle and the next standard should be released around October 2013. The following diagram is taken from the official Lifecycle for Changes to PCI DSS and PA-DSS demonstrating the phases of the three year cycle.
Based on PCI DSS v2.0, it is envisaged that the new version will: - Have further improvements in scoping;
- Clarifying assessment procedures;
- Include considerations for advances in technology as well as threats;
- Other areas as we do not yet know what the future holds.
Final reminder to organisations
It is imperative that organisations focus on their business processes and not just the technology. All organisations must understand they are obliged to protect customers cardholder data –PCI DSS applies all year and it is not just for the assessment.
As advances are made to technology, standards and regulations, organisations must not stand still. All organisations should consider undergoing QSA lead “health-checks” throughout the year to accommodate and review the impact of the change, in order to assist them with remaining PCI DSS compliant.
For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
PCI DSS Overview
PCI DSS Background
The PCI DSS was founded in December 2004 by 5 major card brands – Visa, MasterCard, American Express, Discover and JCB. The ongoing maintenance and updates to the standard are performed by the Payment Security Standards Council (PCI SSC), an independent organisation, joint funded by all the participating card brands and participating organisations. The PCI DSS is now on its 4th major release which is now at v2.0.
It is important to note that compliance is not a legal requirement but it is driven by the contractual agreements between merchants and acquiring banks that cannot be ignored.
PCI DSS Requirements
The PCI DSS are broken down into 6 domains that have various sections and associated requirements within each section which are as follows:
- Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters - Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks - Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications - Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data - Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes - Maintain an Information Security Policy
12. Maintain a policy that addresses information security
Why should an organisation comply with the PCI DSS?
There are a number of benefits of attaining PCI DSS compliance;
- Provides your customers with assurance that card transactions will be handled securely by your organisation
- Level 1 service providers who achieve PCI DSS compliance can ask to be added to the Visa and
- MasterCard lists of approved service providers
- Avoidance of financial penalties which are divided into two areas:
- Non–Compliance Costs
- Data Breach Costs Can include:
o Fines levied by your acquirer for the cardholder data breach
o Elevation to a level 1 merchant, increasing your ongoing compliance costs
o The need to have an onsite QSA assessment which will add significant overhead to the demonstration of compliance
o Consultancy costs for forensic assessments & remediation advice
o Potential liability for consequential losses due to the card data breach
o The fines which may be levied for non-compliance are potentially unlimited
Common Misconceptions
The following are common misconceptions in relation to PCI DSS compliance;
- You can’t fully outsource all your PCI DSS accountability although you can outsource most of the responsibility for the provision of services; remember some areas of the standard will ALWAYS remain in scope.
- Using a PA DSS compliant application – or a PCI PTS compliant PED does not automatically make your company PCI DSS compliant
- A PCI DSS assessment/ SAQ completion is just a snap-shot. Compliance with PCI DSS must be maintained at all times, and evidence of this needs to be available
- PCI DSS is NOT an IT compliance standard, it affects all facets of an organisation
For further information on our PCI compliance services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
Sysnet Global Solutions attains Approved Payment Forensics Investigator (PFI) status
www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.php
The PCI Security Standards Council’s PFI program establishes and maintains the rules and requirements regarding eligibility, selection and performance of companies that provide forensic investigation services to ensure they meet PCI Security Standards. The PFI program aims to help simplify and expedite procedures for approving and engaging forensic investigators. The PFI list will replace the previous ‘QFI’ list as of March 1, 2011. After March 1, the card brands will only accept forensic reports from companies that are on the PFI list.
With the growing threat of credit card fraud across the globe and more aggressive tactics shown by organised criminal groups, if an Account Data Compromise (ADC) does occur and an investigation is required, Sysnet are well equipped to minimise the potential loss and ensure that the affected organisation is back to trading in a safe, compliant manner as soon as possible.
“This achievement is the result of the cumulative effort of a number of people at Sysnet and we are delighted that we are now on the PFI list” said Nick Prescot, Senior Consultant of the Data Forensics team at Sysnet Global Solutions “Whilst we wish that no organisation suffers a data compromise, we can now demonstrate that the Sysnet approach to quality, dedication and thoroughness will ensure that, should the worst happen, the end result will be an organisation that is not only above and beyond the requirements of today’s compliance but also well prepared for the future.”
In preparing and rehearsing against potential account data compromises, Sysnet Global Solutions offer incident management workshops, intelligence briefings on the latest trends, briefings on best practice in securing personal data, guidance on how to deal with the legal aspects of an investigation and insurance services that enable organisations to be best prepared in the event of a data compromise.
“This is a very important achievement for Sysnet” said Gabriel Moynagh, General Manager at Sysnet Global Solutions “Our PFI status compliments the extensive range of products and services we currently provide and further increases our ability to assist our clients in protecting vital business information assets.”
For further information on our PFI Consultancy Services, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.
Sysnet to present at the Vendorcom PCI & Payment Security Retailer Breakfast Briefing
The briefing will take the form of short presentations that will provide attendees with up-to-date information that will help improve the security of payment data and move PCI to a business as usual process.
“The data forensics team at Sysnet are very excited to be part of the Vendorcom breakfast briefings” said Nick Prescott, Senior Consultant – Data Forensics, at Sysnet Global Solutions, “Cyber warfare is a relatively new and growing phenomenon and no more so than within the realms of cardholder data. We are passionate about educating, preventing and, when an unfortunate event happens, responding to incidents and ensuring that all businesses affected from a breach emerge from an incident with a renewed confidence in security.”
The presentations will be followed by a Questions & Answers session, during which the speakers will be joined by Nick Heape of Visa Europe and Phil Jones of Barclaycard.
The briefing will take place at the Herschel Room, 76 Portland Place, London, W1B 1NT and will commence at 8.00am and will conclude at 10.30am.
To register a place at this briefing, please go to the following link: www.vendorcom.com/register.php?event_id=78
PCI & Payment Security Retailer Breakfast Briefing – Tuesday 1st March, London
and supported by BARCLAYCARD & VISA EUROPE- What is the cost of compliance (versus non compliance)?
- How do you work with your suppliers to minimise the risk of a security breach?
- If you are breached, what steps can you take to minimise the impact both directly on your customer and on your brand?
Following these presentations, there will also be a Q&A panel, where the speakers will be joined by Nick Heape of Visa Europe and Phil Jones of Barclaycard. This is the opportunity to ask ourselves and the rest of the expert panel your unanswered PCI & Payment Security questions. There will also be time after the session to stay on, ask any additional questions that may not have been answered in the group session – and to network with your peers, the panellists and the Vendorcom team.
It may not always feel like it, but as an industry we are here to help – please take advantage of us!!
Please Note: This briefing is FREE to attend
Agenda:
0800 - 0830 Registration, Breakfast & Networking
0830 - 0840 Welcome & Introduction
Paul Rodgers, Chairman – Vendorcom
0840 - 0905 The True Cost of Compliance
Tripwire have recently completed research into the True Cost of Compliance to determine the full costs associated with an organisation’s compliance efforts. This presentation will highlight the recently released benchmark study of multinational organisations providing a clear understanding of the differences between compliance and non-compliance costs incurred when complying with laws, regulations and policies.
Mike Shanahan, Account Director - Tripwire
0905 – 0930 The Security Breach: Guarding Against and Reacting To!
The PCI DSS is designed to help us guard our business against security breaches – that’s all well and good, but how do we work better with suppliers to ensure that they’re working to reduce our risk as well? And if the worst happens and we are breached, what is the best course of action? In essence, this session will encourage you to prepare for a breach, know how to limit your exposure to the risk of a breach and understand what best to do in the event of an account data compromise.
Nick Prescot, Senior Consultant, Forensics – Sysnet Global Solutions
0930 – 1000 Q&A Panel
What do you really want to know? What is the most burning question you have about PCI & Payment Security that remains unanswered? Now is your chance to ask it!!
Mike Shanahan (Tripwire), Nick Prescot (Sysnet), Nick Heape (Visa Europe), Phil Jones (Barclaycard), Paul Rodgers (Vendorcom)
1000 – 1030 Coffee & Networking
Your time away from the business is precious, we recognise that, and that’s why we’ve kept this session short and snappy! However, we also know that there’s never enough time to answer everybody’s questions in an open session – and indeed there may well be questions that you don’t want to ask in an open session.
So, the Vendorcom team, our speakers and our panel will all be staying on for coffee after the session so that, if you want to, you can spend an extra few minutes/half an hour, asking questions and taking the opportunity to share experiences with your peers – who knows what additional nuggets of information you could pick up that might just help your business!
Date: Tuesday 1st March 2011
Time: 0800 (for a prompt 0830 start) – 1000 (with opportunity to stay on through to 1030 to ask additional questions/network)
Venue: Herschel Room, 76 Portland Place, London, W1B 1NT
Map: Click here
Nearest Underground Station: Regents Park (Bakerloo Line), Great Portland Street (Circle, Hammersmith & City, Metropolitan Lines)
Cost: This event is FREE to attend
Registration: To confirm your place at this event: Register Here
We hope that you will be able to join us, Vendorcom and Tripwire on 1st March.
Sysnet Global Solutions announces appointment of new Regional Manager for North America
In this role, Bill will oversee Sysnet’s North American based business activities with an emphasis on new business development and client relationship management.
“We are very pleased to welcome Bill to the company” said Tom Moynagh, Managing Director at Sysnet, “Bill has considerable experience in the Information Security industry having provided consultancy, audit and risk assessment services to businesses operating in a wide variety of industries. We look forward to working with Bill and to the further development of our US based business.
“I am delighted that Sysnet have identified North America as a key region for business growth.” said Bill Hodge, Regional Manager for North America “This is a critical time for many organizations as they struggle to both maintain regulatory compliance and protect their businesses whilst also adhering to strict budget controls. I am confident that Sysnet can provide the best value services to assist such organisations in meeting all of these requirements.”
Bill graduated from East Tennessee State University with Bachelor and Masters Degrees after serving in the United State Marine Corps. He also holds AAS in Computer Science from the Pellissippi State Technical Community College, and has earned the CISA and CISSP certifications.
Further key personnel appointments for the North American region are expected in the near future.
Sysnet announces relocation of headquarters to accomdate business expansion
“We are very pleased to announce the relocation of our Dublin based headquarters to accommodate our growing workforce” said Gabriel Moynagh, General Manager at Sysnet Global Solutions “During the past year we significantly increased our staff numbers to support recently announced client wins, including two major banking clients. The majority of new hires have been to support our Compliance Managed Services solution that provides PCI DSS merchant portfolio compliance validation for banking and other acquiring organisations. Similar growth is expected during 2011 with further new client announcements to follow.”
PCI DSS is a set of comprehensive requirements for enhancing the security of payment account data, transactions and processing systems. It was developed by the founding payment brands of the PCI Security Standards Council, and has been adopted by third party processors and merchant acquirers globally to combat cardholder data fraud.
Sysnet’s new headquarters will cater for both its current and future business expansion requirements. The company also recently opened their new UK based office at Davidson House, Forbury Square, Reading, RG1 3EU Tel. +44 (0)118 900 1510.