Payment Card Security & IT Controls Explained

VISA announced today that the majority of their merchants were PCI DSS v1.1 compliant. Specifically, 99% of Level 1 Merchants and 92% of Level 2 Merchants have met compliance or have submitted an approved remediation program. This is a huge increase in compliant organizations year over year, and much congratulations is due to the merchants and Visa who worked to get this done. A fortunate by product of this is, hopefully, we will see some similar successes and releases by the other four card associations that make up the majors. It is important to realize that Visa is only one of the four, and the others are just as important to ensuring consumer confidence, and eliminating credit card / identity theft through the payment transaction system.

In addition, I found a study released showing that those organizations that are PCI Compliant have a lower instance of fraud, as a result. This is in line with my earlier article here and here at IT Compliance and Controls.

Well done Visa and the associated merchants in this release, and here is to making 2008 a far better year than 2007 for online security and consumer credit card confidence.

An article on the press release and its impacts on consumers and merchants is available here by SC Magazine, and here.

Best,

James DeLuccia

A great piece was written up by Kevin Funnell recapping an article in the American Banker the impact of banks meeting the FFIEC Multi-Factor Authentication deadline of January 1, 2007. Thankfully many organizations adopted these requirements prior to the hard deadline, and overall fraud rates have plunged. Key points to highlight in his writeup that jump at me are:

Great Success:

“fraud has decreased by 30% to 40% in the online channel in the U.S. from 2006 to 2007 specifically due to implementing the FFIEC-required authentication”

This highlights and supports that Multifactor authentication is beneficial and should provide immediate returns to the organization on a financial and public goodwill posture.

Escalation continues:

“increased incidents of branch and contact center fraud and criminals working the channels to get pieces of information”

An important fact that highlights that threats can come from different angles, but the target is STILL the data and we must do a great job at securing and monitoring those data stores.

What truly resonates with me is the amount of fraud reduced through a simple introduction of a control. The economics and technical feasibility of this control are very understandable and not complex. I feel there is a huge opportunity for online merchants, not banks that are subject to the FFIEC, to fully embrace this control and necessary technology. PCI DSS mandates under Section 8.3 that administrators, employees, and third parties use two-factor authentication when accessing data remotely - this does not apply (today) to consumers.

A good set of studies on multi-factor authentication usefulness and applicability can be found here, here, here, and here.

Updated: Great breakdown on Multi-Factor approaches and analysis by Karim Zerhouni Senior Manager for BearingPoint.

Fraud is an issue that impacts the business profit margins and disrupts the consumers lives. Reducing cost and improving a consumer experience is a best practice in any economy, nation, and industry.

Best,

James DeLuccia

Is your ASV really getting the job done? I spent several years working with organizations building their Automated Remote Scanning systems and fought the good fight as prices for remote PCI DSS scans plummeted. It became very evident within the first 6 months that vendors who fully automate their systems were winning the battle. What always baffled my teams was that we ALWAYS found weaknesses in customer systems when they switched over to our services - even after being “compliant” by these automated companies.

So the recent news of ScanAlert customers being hacked - while being “compliant” (no disclosure has been presented to indicate if they were compliant at the exact moment the breach occurred… updates will be added when available), and several posts highlighting similar inconsistencies is not news to me or my colleagues (Jeremiah has a nice write up on this) . The fact is we left that market due to economics - I couldn’t cover my costs of the scans. Over the past few years I have enjoyed the other side of the coin and have been supporting companies in an advisory fashion. Meaning, I help them understand their business needs, the risks involved, and work through solutions that are best for the company. Usually the cheapest vendor is NOT the best solution.

The one fact I want to pass along given all these unfortunate Merchants who have suffered a breach is that you must evaluate your own security precautions. It is the duty of the executives in every corporation to ensure there are proper safeguards that protect the company and it’s stakeholders. This includes ensuring that if a service provider is providing a service:

• That service is of sufficient quality
• The service is implemented and operational as required (these remote scans must be given complete and direct access to your online properties, and should not be molested by load balancers / IPS / firewalls / etc…)
• Regular quality checks by the staff (i.e. Conduct your own web application assessment and compare the results, if they are not identifying threats and only providing a check box then it is the best interest of everyone that you find another provider).

The end result of this flight from ineffective scanning providers is a stampede to quality and a return of balance in the necessary delivery of skilled assessments. Challenge your perceptions and question the assumptions of your security program for the good of your company and my sensitive information.

Thanks to Jeremiah for a great post on this topic.

Update: May I recommend alternative Approved Scanning Vendors for your reference.

Kind regards,

James DeLuccia