Live from ETA Day 1, by James DeLuccia IV

This week is the premier conference for those that store, process, or transmit cardholder data (affectionately referred to as CHD, by me). Everyone from VISA / AMEX / DISCOVER / MasterCard to the POS devices themselves are here. The industry is a very tight group, and it has been an amazing experience to realize how much these companies work together to meet customer (consumer) demands / needs.

I have had the privilege to speak with dozens of companies and sit through several discussions on the payment industry and the PCI DSS requirements. This entry contains my notes and takeaways from the first day. These take aways include:

• PCI DSS program Updates (new version, changes!)
• Threats, Trends, and Analysis
• Safe harbor for Small Merchants
• PCICo
• Top Reasons for Compromises
• Top Actions to mitigate compromises

ETA, the Electronic Transaction Association, is the conference to learn about how the payment industry is growing, the latest technologies, and recent security efforts. The conference has an exhibitor hall of nearly a hundred companies that provide everything from the POS hardware to the biggest card companies in the world. This international event includes breakout sessions where the experts and leaders of their field can discuss how to handle real world situations. After attending some of the breakout sessions and hearing from over 30 product companies, I have compiled a breakdown of the best tidbits, morsels, and other bits of goodness. As more details come forward I will be sure to post them.

First off, some figures provided by the credit company themselves.

• VISA presented some figures on how many companies are meeting the PCI DSS validation / compliance requirements. At the time of the convention, around 74% of merchants have submitted or their ROC (report on compliance) is under review. This is roughly 232 organizations.
• In addition, approximately 1,592 merchants have submitted their SAQ (self assessment questionnaire) and their PCI DSS external scan results

PCI DSS Updates:

• PCI DSS will be updated from version 1.0 to version 1.1 in the summer of this year – “PCI DSS version 1.1 will provide changes in form, not substance” – VISA representative
• PCI DSS version 1.1 will contain greater specificity in the controls that should be in place
• Updates are occurring with feedback from a sampling of Acquirers, Issuers, QDSCs, and Service Providers
• An additional Merchant level will be included to provide a more absolute line. o Companies processing greater than 1 million cards will be required to have a SAQ and PCI DSS external scan
• June 30th 2008 requirement – WEB APP firewalls o PCI DSS will include a requirement for WEB APP firewalls to be in place by 2008. This will address many of the application layer threats and cause a simpler compliance effort for companies that meet PCI DSS mandates
• Top 2 major initiatives: o Continue message of “Not storing TRACK data” o Increase acceptance and adoption of PABP initiatives

Threats, Trends, and Analysis:

• TRACK data is commonly discovered in logs o This is from forensic data and it was determined that the companies were unaware of this activity by the application
• SQL attacks were a part of every credit card breach recorded in the past few years (not the root cause, but part of the attack)
• 84% of POS PC systems were the source of compromises o Attacks generally came from remote sites using test equipment
• Attacks came over several channels: o 30% over dial-up o 47% over Cable / DSL
• 60% of errors and violations were a direct result of 3rd parties
• 99% of Brick and Mortars that suffered a compromise were storing TRACK data
• 25% of compromises are due to laptop theft or paper receipt theft

Safe harbor for Small Merchants:

• Small merchants can and should meet PCI DSS requirements
• Small merchants represent largest source of compromises
• Reason: small companies cannot afford ($$) the cost of a breach
• Safe harbor: o Demonstrate validation – SAQ & Scans o Maintain validation – good documentation

PCICo:

• Similar to SETCo
• To be formed organization that will manage the PCI Documents
• Accredit QDSC organizations
• Eventually handle other duties

Top Reasons for Compromises:

• No Firewall
• Backdoor or Trojans
• Remote Access configuration errors
• Remote system exploits
• SQL Injection
• Non-compliant hosting provider

Top Actions to mitigate compromises:

• Install a stateful firewall ($1,000 for a model that can be managed remotely)
• AV and / or personal firewall
• Disable remote management on internet facing devices o & block incoming ports on your NEW firewall
• Patch, patch, patch
• This one is harder, but: o Practice good web site developments practices o Practice good DB development o Test, Test, Test o Web app firewall
• Require provider demonstrate PCI DSS compliance o They can and probably need to be certified o They may have already done it for one client (perhaps there is a plan that includes PCI DSS certification for a couple of bucks) o Request a SAS 70 type II with Control objective details (verify that the control objectives and procedures align completely with PCI DSS)

A lot of the details above were heard during presentations, anecdotal conversations, and through public literature available. A special thanks goes to all of the panelists for providing great information and especially to the card processors for their transparency in the success of the PCI DSS program. There is a tremendous amount of work that must happen in the credit processing industry in order to properly secure the data and maintain customer trust. I believe that from the efforts of these groups these necessary changes are still important. One disconcerting fact is that many of the ISOs, product companies, and general service providers do not know what PCI DSS is or what the requirements are. This is very troubling as we have reached nearly the year and a half mark.

Training, education, and continued efforts by everyone involved are necessary to truly insure that PCI DSS 100% compliance will be possible. Tomorrow is the final day and I hope to provide even more detailed information. I will put together some final thoughts on the red eye back from Vegas, and look forward to any feedback.

Any other attendees or anyone with questions on the conference, please add a comment below and I will try and address them directly.

James DeLuccia

PCI Mandates drop 8 of OWASP Top 10, by James DeLuccia IV

MasterCard announced last week that the web application requirements for those receiving validation of external assets is being reduced. Specifically, the requirements that listed the OWASP Top 10 as the standard has been reduced to a lesser, OWASP Top 2. What does this mean for the industry? How does this appear to Congress as they navigate several pieces of legislation on protecting this type of information?

First off, a little background on validation and PCI DSS: In order to process credit cards an organization must agree to be compliant with the PCI DSS requirements. Organizations agree to these terms in their processor operating regulations contracts. Depending on how much volume the organization manages they have to demonstrate compliance. Compliance can mean scanning the external segments or an onsite validation from a 3rd party. The scanning portion is managed by MasterCard and they actually certify companies to become compliant assessors. In addition, MasterCard provides the standards and criteria with which these services must be conducted.

Over the past year and a few months the standard has gotten stricter and required greater diligence by the assessor. That is until a few weeks ago when MasterCard deprecated the requirements for the web application component.

Prior to this last update, companies were required to have no threats as outlined under the OWASP Top 10 categories. This listing has become the defacto standard for classifying and recognizing threats for online applications. The update eliminates all but two of the Top 10. See below:

The change can be interpreted in two ways. First, MasterCard received a large amount of complaints that the requirement was burdensome on the auditor and auditee. Second, MasterCard feels that the other 8 requirements are best practices and not objective enough to be part of an audit.My thoughts are that this reduction in audit requirements is not consistent with the industry’s commitment to preventing security breaches. Web application vulnerabilities constitute a tremendous amount of the serious threats to organizations, and without some form of prevention (regular quarterly audits / web assessments, or web application / intelligent firewalls / IPS) the company and the industry’s image are at risk, not to mention the client’s data.

Is it appropriate to reduce the PCI DSS standards? Are those 8 other items really that subjective? If they are, should there only be a Top 2 list? Web App assessors, PCI QDSPs, or those who receive these services – SPEAK out!

James DeLuccia

AJAX, the Internet,and Data Retention, by James DeLuccia IV

AJAX is the latest craze in online development tools, not withstanding ruby, and as simple and wonderful it is to have webpages (gmail.google.com) not refresh repeatedly this does raise a concern. My security-compliance sirens are going off the more I see online repositories or enablers for online development. The trend, even with Microsoft Office, is that the era of purchasing software packages that you own (own being a relative term in this modern EULA world) is ending and the ASP model for sales support software, accounting software, email systems, and now online word processing is taking over. This leads me to two points (and I am certain there are many more…); one, as we were rightly concerned with back office main frames being put on the web, why are we not as concerned with our IP (intellectual property) being put onto other servers in other countries through these ASP models; second, how does this displacement impact our duty as security practitioners to meet our regulatory and compliance requirements?

In the beginning of time (again, relative) all the data of an organization was stored on big iron in the back room and everyone could enter data through terminals. Then we were given a great gift (the Internet), and we moved all of the data from mainframes onto cheaper, more interactive (inherently less secure) systems and made them publicly available. Well, privately first and then we realized automation and enabling clients to input their information was WAY cheaper. At this point, all the data that is ours is still within our control, on our servers, and operating within the business controls we (security professionals, auditors, management, and the board) accept. Now we are seeing the trend again shift to fully online systems where companies only pay a subscription, or the service is for free (until VC funding runs out).

Back office operations were one of the first with companies like SalesForce.com and Netsuite.com, and these systems were given all our data and we interact with them. These companies provide a service and replace the big software packages that companies would have to purchase. The latest twists are sites (leveraging AJAX) that provide the workspace to create IP. Sites such as AjaxWrite.com provide an interface where anyone can write a word document (yes, Microsoft Word) and save it in a compatible fashion. The challenge here is – who owns this content, how is it protected, and if it is online are they saving a copy? Also, beyond the disclosure threats of creating documents over insecure (unknown) systems, how do we as compliance requirements state – ensure that the information is retrievable for e-discovery?

Thoughts on minimizing the likelihood and consequences of using these types of systems:

• Controls, controls, controls – Be sure in the SLA with the vendor that you have the right to audit how they manage your data. If possible, request they provide a full SAS 70 Type II and confirm that the controls tested were relevant to how they use your data.
• Encryption – Verify that the site permits only top tier encryption strength through certificates, that are valid / up-to-date / and are signed by a higher authority.
• Authorization / Authentication – Confirm the site requires authentication to access your data, and confirm that the user provisioning is secure. Verify the help / support desk of the vendor doesn’t reset passwords without proper identification, and request a regular (90 days) report of accounts, activity, and strength of passwords.
• Deny – The easiest thing to do is eliminate the ability for people to expose IP to sites that enable content creation beyond the control of the business safeguards. This cannot be done by disabling AJAX or JAVA, but instead requires a strict policy to convince the employees not to use these technologies. Of course, adding a good DNS / IP address block wouldn’t hurt in discouraging this type of behavior.

To summarize we have Google saving all the emails, searches, and such that happens on their systems (not disturbing until they get subpoenas). Websites such as AjaxWrite (and Google’s latest acquisition and competitor to AjaxWrite www.writely.com) are enabling our employees to create (be productive) content anywhere in the planet with no means of recording or safeguarding this content. While there is guidance on how to handle retention from the Sedona Group in their excellent brief titled, Best Practices Guidelines and Commentary for Managing Information & Records in the Electronic Age, there is not enough precedence set in court to absolutely state how to handle content developed online. So, the question of the hour is, “How shall we maintain controls in an environment that exists only by not having them?” A good question for another time…

James DeLuccia IV