Payment Card Security & IT Controls Explained

A short piece in the Wall Street Journal the other day focused on the challenges that firms face with the introduction of new technology, and how these new gadgets can complicate an organization’s controls.  The article highlights the difficulties faced by investment firms as there are specific regulations to capture all traffic relating to financial transactions.  In the context of this mandate, the article raises the issue when employees purchase iPhones and other smartphones, and the resulting difficulty in meeting regulatory mandates.
This issue is not reserved only for financial firms, but is applicable to any firm.  New technologies - such as smart phones, Instant Messenger, Peer to Peer, Torrents, and VOIP are all initially resisted by firms until an ROI and business case justifies the added management expense.  Beyond the adoption of these technologies organizations that adhere to standards, such as PCI DSS, must be aware of the implications regarding these tools:

• Sensitive Data may be transferred to these devices increasing the scope of an audit
• Transmission, Storage, or processing of sensitive data through these newer technologies requires a re-evaluation of the risks, controls, and procedures
• Deployment and enhanced control environments are required as the technology expands the platform, geography, and dimension of the data itself
• Management direction must be re-evaluated to ensure that extended operations resulting from newer technologies are aligned and consistent with the strategic efforts of the organization
• Updates to policies and procedures are necessary
• Modifications to disaster recovery and backup systems must include these newly introduced technologies that emerge as part of the business processes.

Avoidance of technology leaps and enhancements can damage a firms competitiveness, but blind adoption can result in far greater financial and legal penalties.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!!  Pre-Order Today 

An interesting phenomenon has occurred in the world of privacy data breaches, and specifically PCI DSS card holder data breaches, in that fraud (acts committed intentionally by insiders or through thefts that are suspected of fraud) has almost completely been forgotten. Not to say that one does not consider fraud generally in an organization’s basic risk register, but more so realizing that perhaps a level of perception bias may have enveloped the world. This perception bias is truly an example of a complacency effect that arises in most risk manager’s minds. This complacency bias is reinforced by the overwhelming amount of successful hack attacks on organizations. To business this is an important risk that must be addressed prudently throughout the organization.

An excellent set of resources is available through the Association of Certified Fraud Examiners (ACFE) where there are numerous articles and guides addressing many kinds of threats in an organization. I raise this issue, as I recently conducted a research effort that evaluated the threats to organizations, retailers specifically, and how the control environment should be appropriately tuned. A thorough analysis (using in part the excellent Privacy Rights ClearingHouse Data Breach Data) highlighted that although online attacks are more fruitful to attackers, there are nearly three times as many incidents under the fraud umbrella. The implications of this data is different for each organization, but must be considered with each risk management effort. As part of a fraud strategy, organizations should take serious consideration of SAS 99. Below is a table from the research:

PCI DSS specifically requires controls that align with ACFE and AICPA fraud prevention practices. The usage of PCI DSS control - Access Authorization, Separation of Duties, and clear job responsibilities all support the prevention of fraud in an organization.

Over time I will expand this article, as I find more data and expand on what core controls of PCI are beneficial for preventing Fraud. There is also a richer breakdown on SAS 99 at IT Compliance and Controls for those interested.

I would be interested to hear examples where Fraud played a role in a data breach, and what areas of the PCI DSS standard were critical in the detection or mitigation of the fraud.

Best,

James DeLuccia IV

On December 6th at 12 EST I will be co-presenting with Prat Moghe on PCI. We will focus primarily on PCI requirements 3 and 10. The teleconference is built on questions submitted by participants that will be addressed on the presentation. Listen live or check back for the future archived version.

http://www.tizor.com/News-And-Events/Hot-Topics/So-you-think-youre-compliant

“So you think you’re compliant?

So you think you’re compliant? Let’s talk PCI: An hour with the experts

Even as another PCI deadlines looms, questions are being raised about what it means to be PCI compliant. Not only is there confusion about what it takes to become compliant, there is also a lack of confidence that stored customer data will be safe from internal and external threats once PCI requirements are met.

The confusion on the subject of PCI is exacerbated by varying technologies that claim to be the silver bullet for compliance. Hoping to reverse that trend, Tizor Systems invites you to a teleconference event designed to provide straightforward answers to pressing questions about some of the grey areas of PCI compliance. Specific areas that we will be covering during the teleconference include:

• Data security and how it relates to cardholder data protection,
• PCI requirements 10 and 3, when and where to use encryption,
• Compensating controls for encryption,Today’s approach to database logging and why it doesn’t work for compliance or more importantly, for catching internal and external threats”

Best,

James DeLuccia

The other day I was reading a post by Alan Calder who referred to a presentation overview covering mergers and acquisitions entitled IT Governance and Mergers. This topic has interested me for sometime. It is a very complex situation for two organizations to merge information environments, and one that I feel must be strongly considered by all practitioners and executives alike. A few considerations about how we are defining M&A:

• The blending of two information systems can be two separate public companies that are merging through some financial arrangement
• In other cases, and much more common, the organization may be centralizing the technology environment after years of organic regional self governance
• A third case to consider is the re-development of the information environment (i.e. cancel the BPO and bring technology systems back in house)

The convergence of information environments covers all aspects of an organization, its controls, the processes, and people at once. In the article the author does an excellent job highlighting the results of a conference session he hosted on M&A. He breaks down some great points to consider and pitfalls to be wary of when technology centers merge together (the focus is on Law firms but wholly transferable to any organization). I would strongly recommend reading his full post, as he had access to numerous high level CIOs.
While a full breakdown of M&A best practices is a worthwhile topic, this post focuses on the PCI DSS and general compliance issues that arise, and highlights some points that must be understood:

• Merging organizations creates a single entity - this applies for everything from taxes to compliance requirements. An organization that once was excluded from specific disclosure laws may now be obligated.
• PCI DSS levels of attestation are determined based on each card association’s total accounts processed by a single entity. Two organizations that merge as Level 2 Merchants may soon become Level 1 Merchants. This leap greatly increases the operating technology budgets to ensure greater controls are in place, and initiates a need to develop a plan to achieve compliance.
• Polices and Procedures of each organization are different, and as these systems are merged together - which is considered best practice, there must be a full revamp of the document evidence.
• The merging of backbone infrastructure from an organization also introduces larger numbers of access points to sensitive data, and/or increases the scope and applicability of compliance safeguards. These may require a full evaluation of technology architecture and information flows through the system.

The effects of M&A in organizations is an exciting problem to solve, but it may only be addressed efficiently by achieving the basic following steps:

• Develop a consensus on the business direction after the merger through a management level session
• Identify all systems that manage the information environment and map BOTH environments to the controls, business requirements, contractual obligations, and regulatory mandates of the post merger business
• Prior to “flipping the switch”, consolidation and expunging of unnecessary systems should be achieved
• Finally institute performance monitoring thresholds throughout the environment to further improve the organization’s information systems.
• A decision should be considered prior to every merger - should this merger happen? A strong question that must be weighed where technology environments are competitive advantages.

Other experience on M&A? Please add comments and how they effected your PCI compliance efforts.

Best,

James DeLuccia IV

The second day of the conference was excellent. Everyone I spoke with regarding the speakers, topics, and materials thought day 2 was the best and blew away the first day. I had the privilege to attend several sessions that focused on Corporate Governance, Audit Committee Oversight duties, Fraud Risk Assessments, and Effective Audit techniques. I was unable to attend the full day on Wednesday, Day 3, but was able to enjoy Ed Robinson’s presentation and a thorough breakdown on the Foreign Corrupt Practices Act (FCPA). I will post my notes from the conference in sections given the need to digest all that I heard prior to posting:

“Structuring an Effective / Comprehensive Compliance Program“, was presented as a panel discussion that included several notables on the panel to include - Ryder, OCEG, Turner, and Southern Company.

• It was noted that SOX provided several benefits - attention and resources around the existing compliance program and the motivation to mature. Second, SOX identified how weak many of the technology controls were surrounding the controls of the financial reporting systems.
• A study from the OCEG was presented with several trends and statistics (Available - Check out this post for the OCEG and many more):

• The Status Quo in organizations is the existence of SILOS (Finance, HR, IT) on the management of compliance and control requirements
• Technology solutions are trending to bridge these SILO gaps and create a central management approach
• 2/3 of companies were found to be adversely effected from redundant/duplicate controls. These included:

• Pain of reconciling disparate data
• Difficult to find the truth

• • 1/2 of all identified failures caused harm and damage to the organization (deficiencies), but these effects were short lived and the memories were quickly forgotten in the organization.
  • Only 14% of respondents had integrated their compliance programs
  • The overarching theme that resonated from the study was the need for consistency and accountability

• Compliance departments must not become the Department of NO. (A role that IT Security once held, and in some cases still holds)
• The existence of a Chief Risk or Compliance Officer is attributed to the FSG (Federal Sentencing Guidelines)
• General overview of the FSG (Mainly pulled from Chapter 8):

• • Possess good policies and procedures
  • Assign a responsible party (Compliance Officer)
  • Existence and presence of a program
  • communicate / Publish / Train on program
  • Enforce the Standards
  • React and address problems
  • “Effective” as defined by the FSG is a program that has the ability to identify and prevent criminal activity
  • Note: The government does not care how much was spent on a safeguard, but only that it is effective - business perspectives must be considered
  • FSG is not a compliance or standard for an organization, but should be incorporated to ensure that the organization is both protected and due care is taken for the personnel

• Challenge of Ethics

• • Organizations can choose to accept fines for non-compliance if only direct costs are considered
  • Ethics are decided based upon social duties, doing the right thing, and based on the maturity of the business

• When dealing with auditors, create a relationship and seek to understand the intent of the effort

• Understanding the reasons information is sought allows for the organization to provide the correct information.

• OCEG - the Red Book published in its current form has recommendations on establishing a compliance program
• The risk faced by an organization can come from a number of areas and must be centrally responsible to a core group, i.e. the Compliance group. These risks may be categorized as environmental, compliance, people, ethics, regulations, and business
• A simple method of gaining acceptance by business parties is to first identify the risks (see categories above), second vet these against a formal corporate compliance steering committee (vet and weigh the risks), third give business another pass, and finally compare these digested risks and ratings against any multinational rankings.
• Benchmarking is very important to ensure a business is not over spending or falling behind in the technology innovations. Benchmarks can be gathered through OCEG and public surveys.
• Several Studies were recommended to include:
  • The Conference Board - a Global Study
  • The Conference Board - Emerging Governance Practices in Enterprise Risk Management
• A common refrain by the panel was that compliance programs should promote the delivery of advanced information on compliance to satisfy the concern of management, the Board, and the Audit Committee
• Some takeaway tips from the session:
  • Develop an Agree Upon Procedure process for GRC
  • Define hard metrics for a framework - consider OCEG Red Book
  • Become certified - whether by ANSI, OCEG, or others
  • A tip by the OCEG spokeswoman was that everyone should join the OCEG study survey process, because all participants get a free customized report that provides benchmarks based on each survey.

Benchmark, Benchmark, Benchmark:

• There are some statistics that are not easy to locate and absorb into an organization for comparison that are timely or complete, however a great tip provided by the panel was to look after bad reports!
• Bad compliance or failed audit reports that are made public in proxy filings and by government agencies contain huge amounts of information on what was done wrong - Fannie Mae (348 page report worthy of any good flight across the pond), Boeing, CA)
• Take advantage of free webinars to learn about latest interpretations of laws and requirements

The greatest theme that resonated throughout this session, one-on-one interviews and discussions I had, and those of other sessions can be summed up in the following points:

• Seek to understand an organization’s culture - even transformational leaders must understand where the river flows before effecting change.
• Identify areas of value from the compliance program beyond avoiding fines, and contribute to the mission of the business
• Risk Assessments (of all risk categories) are a necessary starting point before any audit and monitoring is possible.
• Communicate in a language that can be understood - and gain a presence with the Directors and executive management.

A huge overview, and I hope some value to anyone seeking to hone their compliance programs. There is a tremendous amount of thought leadership in this area, and I encourage anyone to contact me to discuss these points.

Best regards,

James DeLuccia IV