MEGA PCI / Payment Card Training, a survivor of CPISA/CPISM Training

This week I sat through undoubtedly the best education I have had surrounding the payment industry and specifically PCI DSS.  The training was provided by the Aegenis group for the Society of Payment Security Professionals – who include note worthies such as Michael Dahn of PCI Answers.com, and Chris Mark.  The training was three very full days and covered their two subject areas – the Auditor and Manager portions.  There is a fourth day that is made up of just under 5 hours of testing, so not really a day of learning but demonstration.
To provide some context here I need to highlight that I have attended the Visa QSA training, ETA training sessions, RSA VISA conference hall sessions, third party PCI training, and have even delivered PCI training.  The attendees were a diverse group that included QSA, Acquirers, Issuers, ISOs, Merchants, and a variety of others.  The group made the breaks tremendously valuable and really added to the course.  Despite being a very full room and a three solid days of material and learning, I was very pleased with the material, presentation, and experience.
A bit of detail for those that deal with payment card information and would like to minimize their risks and maximize their operating budgets:
Auditor section (CPISA)

• The training is broken out for technical and manager / operators
• The auditor portion was very technical, but not in the biased security way that some courses provide
• The auditor section provide great detail on what should be in place and how to ensure compliance with the payment industries concerns (not solely that of PCI DSS)
• The auditor certification exam was moderately difficult for me, but less than others given my experience.  Of course, this is all just optimism given the results take several weeks to be calculated!

Manager section (CPISM)

• This section was tremendously valuable – focused on the macro effect of having sensitive data and what strategically needs to be done
• That isn’t to say this was fluff – there was a constant flow of practical details from current challenges
• There was plenty of detail around the contributing regulations ( a personal passion of mine) that impact PII and these businesses

I can’t say too much given I signed a privacy and confidentiality agreement, but the bottom line is simple.  If your business stores, processes, or transmits credit cards OR your business makes sure companies do not have security concerns for those systems you must take this training.  The certification exams are extremely tough, the material is based on thousands of pages, and the days of training are the primer for your further education.  Those who showed up to this training without preparation weren’t able to dive into the deep problems.

Enough of the payment industry for me this week.  For a bit of variety check out this new breach involving ‘entities’ trying to hack into the candidates’ systems looking for a leg up on policy.

Fresh from Dallas,

James DeLuccia IV

Regulation Effects to the Payment Industry: AMEX is a Bank

So, there are tremendous implications for their business model, but to place the spotlight on one area lets focus on data security and regulations (my favorite).  AMEX is one of the organizations that built the PCI DSS, PCI SSC, and all recent publications.  The intent of PCI was to have industry forced mandates that protect cardholder data.  As private companies, Visa and MasterCard, had a lot of leeway on how they handled operations and were able to contain the management of requirements.  Given the IPOs of these two associations, and now AMEX becoming a bank does present a future that is far different then it was 3 months ago and 12 months ago.
Banks are regulated under extensive regulations and there is substantial information surrounding the safeguarding of data through information technology controls.  The FFIEC books are world renowned for their coverage in this area.  In addition to these known requirements there are additional third party requirements that will be introduced.  If anyone has done with a financial institution that is required to abide by GLBA, they know that they too must satisfy the requirements.
My highlighting of GLBA and regulatory leakage (when requirements of one trickle down into other sectors of the economy – SOX anyone) is that while PCI DSS is here to stay, there must be greater forms of validation surround Information Technology and Controls.  Those who operate within the payment industry would be strongly advised to continue to practice PCI DSS, but also maintain a more holistic view of contributing and supportive regulation mandates to ensure smooth operations in the near future.
Other thoughts on how AMEX becoming bank will impact business?

Kind regards,

James DeLuccia IV

Event Update:  BOOK Signing, Free Tastings, and such at Starbucks 1400 Dunwoody Rd, 2-4pm Nov. 23rd. (there will be prizes, so feel free to stop by even for just a moment!)

Dear PCI SSC: How I would change ASV program

Organizations that have to comply with PCI DSS have undergone at one time or another a Automated Remote Vulnerability scan, as required for all Public Internet Facing IP addresses that cater to the payment transaction systems. However most would also agree that the assessments are not thorough and do not indicate a secure website or set of applications.  I have written about that here, and instances of companies that were vetted by such remote companies still being hacked is widely publicized.  So, most organizations employ web application penetration assessors to conduct thorough evaluations for these applications.

What is the difference between these engagements?  The difference is huge:

ASV Scans are basically a remote application checking for widely known vulnerabilities and misconfigurations.  Some web application weaknesses are identified (automatically), but nothing to the degree that the application may become unstable during the tests.  These last a couple of minutes and cost approximately $1/IP up to $100/IP.

The web application assessors are human beings that intelligently vet the applications in their entirty.  Note this is done remotely just like the ASV effort.  The difference is that this type of engagement is at least 3 DAYS, and can cost as little as $2,500.

Clearly they are massively different, and the organizations shall always rely on the work of the assessors work above that of the ASV.  What I would suggest is that organizations that are paying for both should be able to submit their assessor report as a satisfactory ASV report.

Just a thought.  Bottom line – companies should have an assessor truly vet their applications to ensure that they are SECURE and resilient to attacks.  ASV costs are low enough to be done despite their lack of rigor.

Kind regards,

James DeLuccia IV

On a side note:  A book signing will be held on November 23rd at 1400 Dunwoody Rd from 2-4pm.  Come by for free tastings of my favorite coffee shop and to chit chat about the book.