Payment Card Security & IT Controls Explained

In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners.  The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts.  While there is no substitute for reading the full report I will highlight the following key areas - Audience, Nuggets, and Action items.

Audience:
The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited.  Therefore the audience I see (beyond the obvious Fraud professionals) includes:

• Chiefs - CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
• Business Owners - VP, Directors
• Team Leaders - of small teams

Nuggets:

• 67 pages of facts sum up 959 cases of occupational fraud
• 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
• In the U.S. that is approximately $994 Billion in fraud losses
• 25% of the fraud sample were a million plus in damages
• Tips identified 46.2% of all frauds
• Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
• Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
• Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines

Action items:

• Re-prioritize internal controls to address fraud
• Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
• Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
• Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
• Establish Surprise Audits and mandatory job rotation

Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment.  Segments may be adopted today and into the future.  In addition, the ability to eliminate subjective values in risk calculations is tremendous.

Kind regards,

James DeLuccia IV

Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston.  My session on Best and Worst IT controls is on Monday!

Establishing an IT control environment that is agile and appropriate to an organization is a primary objective of IT Compliance and Controls, a recent book I released based on a global effort.  The Institute of Internal Auditors this month in their regular publication, “Internal Auditor“, has a great article “The Right Fit: Auditing ERM Frameworks” by Alexandra Psca defining how auditors within an organization can evaluation an in progress and mature Enterprise Risk Management (ERM) Program.
What is refreshing about this article is the author’s ability to communicate the reality that a full ERM program is unlikely to fully exist in every organization, and the presence of a program may come in different styles and colors.  When implementing and managing the enterprise risks of an organization it is prudent it recognize the following:

• ERM is designed to help the organization maximize risks in the daily course of business, and not a roadblock.  Focus on enhancing the risk environment
• Organizations have organic controls that are established through the natural placement by internal teams, and these work products make up the full Control environment.  Therefore, be sure to be perceptive when forming an ERM, and diligent on leveraging these already present accomplishments.

ERM is designed to reflect on the organization’s operations and risk - therefore one size won’t fit all.
For greater analysis I encourage you to pick up a copy of this periodical from your local Internal Audit department.  As the concerns of PCI DSS, GLBA, FISMA, FFIEC, and EU Directives highlight these program’s importance, managers and executives must be sure to manage the growth and adoption of these programs to achieve the enterprise goals.

Alexandra’s article is republished here too.
Best regards,

James DeLuccia

I recently spoke on the best practices found within the PCI DSS and networking security practices.  The audience represented both providers of payment transactions, retail services, and banking solutions.  The singular focus provided a forum to dive deeper into the security and compliance intents of PCI DSS while not damaging the worth and importance of the other sections (a common result of focusing on singular areas).
Given the presentation is not available publicly online, I wanted to list the key points highlighted below.  As always, please contribute and expand on any area that you have experience or curiosities.
Key points to consider include:

• Defining the boundaries of the sensitive data, and subsequently for auditors and managers the scope of the audit and control environment.
• Addressing specific lower limit control practices
• Establishing a monitor / feedback system
• Usage of Compensation Controls

I will briefly expand on each of these central tenets…but of course, please do dig into each area - there is simply not enough real estate here to adequately cover all aspects.

Scoping and Limiting Key Controls:

• Establish Segmented environments, and utilize sufficient authorization and access control technologies
  • For example:  Separate POS network from common network through firewalls and such

Procedure Practices:

• Maintain secure configurations - develop them based on a plan, validate they meet objectives through 3rd party method, restrict modification while in the field, and update consistently
• Take advantage of self-evaluation opportunities to strengthen control environment and supportive documentation.

Monitoring Controls:

• These are successful when the scope is reserved, the notifications are accurate, and there is consistent follow-through from all aspects of the organization

Compensating Controls:

• The PCI DSS recognizes some organizations have robust controls, but may not precisely identical to those advocated… if the intent is met than submit a request for an exception to a specific control.
• Precedent exists and it is prudent to integrate only supportive and not duplicative safeguards

As always, please vet your organization from its own unique perspective.  I firmly believe that organizations should regularly evaluate their own business procedures (including processing cardholder data), and if necessary to integrate and not add-on the PCI requirements.

Kind regards,

James DeLuccia

I woke up this morning and was encouraged to see the FTC continue on its efforts to monitor the technology safeguards of companies in at least a consistent and security-risk minded approach. Now, while I am not a fan of unnecessary regulations and always feel a healthy bit of regular evaluation and expiration is necessary, it is suitable for companies that clearly do not abide by best practices are more closely supervised. This ruling by the FTC is consistent with that which was ruled for ChoicePoint in Georgia.

An interesting point is the scope of the required audit (physical safeguards through digital) and basic controls referenced under PCI. Specifically the FTC charged that TJX:

• “Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
• Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
• Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
• Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
• Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.” Press Release by FTC

The additional news, and expected given PCI DSS policies, on the release was that the company would undergo regular future audits separate from the government audit that will extend for 20 years.

Catch the full press release here, the Choicepoint ruling here, and the WSJ article here.
Please post any other articles that expand on this… or your thoughts if the FTC is the right body to do this type of monitoring, as it has been a twist on their established authority.

Best regards,

James DeLuccia

There have been recent attacks that threaten the physical integrity of systems, but can be mitigated through the adherence to PCI DSS, and increased vigilance.  The recent news stories on Firewire exploits, RAM downloads, Full Disk Encryption weaknesses, and magnetic access card vulnerabilities highlight the necessity of a review of the PCI physical and monitoring safeguard requirements that mitigate these risks.  There is plenty of technical discussion and Proof of Concepts on these attacks, and it is important that we understand how they threaten our card holder data and enterprise viability.

Requirement 9 states “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. ” (PCI DSS v1.1)

• Section 9.1.1 (video monitor sensitive areas) would detect attackers accessing your sensitive servers and secured workstation areas that contain cardholder data - a good detective control for the Firewire, Disk Encryption, RAM, and Magnetic Card reader attacks
• Section 9.2 (Identification) control would contribute to detecting someone bypassing the access control doors if the office was small, or the identification used color codes that signified what employees have access to what areas.  (The need for unique identification for employee access levels is that visual access and duplication of one badge is easy, but having the correct type of badge in the right area is more challenging and raises the likelihood of detecting an unwanted guest).

Requirement 10 states “Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.”

• Section 10.2.1 and 10.2.4 require use to maintain audit logs of events for all users and on systems that contain sensitive data.  This would provide rapid identification of unauthorized attempts due to the magnetic card attack.  Usage of triggers would ensure that actions may be taken promptly and through regular review as required under 10.6.

I further investigate this topic of controls and hardware based attacks at IT Compliance and Controls.  In addition I spend a great deal of time analyzing these vectors and the necessity of proper controls under Principle 3 Access and Authorization and starting on page 173 of IT Compliance and Controls - Best Practices for Implementation (my newly released book).

Please feel free to add comments, additional controls thoughts, and any other approaches that these safeguards manage the risks to our organizations.

Best,

James DeLuccia IV

Upcoming Speaking Engagements:

• Please join me at RSA 2008 for my session on: Emergence of international regulatory synergies
• Please join me in Boston, for the Association of Certified Fraud Examiner’s Conference with my session on:  Worst and Best IT Management Practices