Payment Card Security & IT Controls Explained

I am a strong believer in group “live” training experiences where I am in a room with individuals who have different perspectives, challenges, and questions.  Unfortunately, the real world keeps spinning and constant training is not always possible, so the web (yes… that which gives and takes) has online training.  For those unaware there are several very good online free training seminars for PCI DSS.  In fact, the one I am highlighting is “sponsored” by MasterCard.

After free registration - the simplest I have yet to see, you are provided with a list of sessions to listen to or you can download the PDFs!  You can find nearly currently a dozen sessions here.  They cover the following topics:

• Maximize Internal Preparation for PCI DSS New!, by Mathieu Gorge – CEO Vigitrust
• Network Segmentation New!, Mark Lippman – Senior Partner, Arsenal Security Group
• Data Encryption: Understanding Encryption and PCI DSS New!, by Gerard Onorato and Jeffrey Foresman
• An Introduction to the PCI Security Standards Council, by Bob Russo – General Manager, PCI Security Standards Council
• A Detailed Look at PCI DSS Requirements, by Andrew Henwood - Director of Operations, One-SEC/Trustwave
• A look into the new Self Assessment Questionnaire, by Jennifer Mack – Vice President, MasterCard Worldwide
• A Merchant’s Journey towards PCI Compliance, by Alexander Grant, General Manager British Airways
• Understanding Account Data Compromise, by A. Bryan Sartin - Vice President Investigative Response, Verizon Business
• Preparing for a Successful PCI Assessment, Lessons from the Field, by Michael Walter – Senior Partner, Arsenal Security Group
• Reducing Your Risk: A Look Into PCI Vulnerability Scanning, by John Bartholomew – Vice President, Security Metrics
• Security and the Payments Systems, By John Verdeschi – Vice President, MasterCard Worldwide and Jeremy King – Vice President, MasterCard Worldwide
• Compliance Validation & Beyond, by Sally Ramadan - MasterCardWorldwide

I have gone through several thus far, and my comments on a few are as follows:

• Maximize Internal Preparation - Helpful.  Core Message:  Setup a diverse team with senior management, and leverage your QSA’s experience
• Understanding Account Data Compromise - Educational.  Great walk through!  Check out Michael Dahn’s excellent ongoing articles on the carder market

Check out the online webinars here.   I am sure there are many others, so please add them below in the comments to help everyone!
Best,

James DeLuccia

In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners.  The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts.  While there is no substitute for reading the full report I will highlight the following key areas - Audience, Nuggets, and Action items.

Audience:
The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited.  Therefore the audience I see (beyond the obvious Fraud professionals) includes:

• Chiefs - CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
• Business Owners - VP, Directors
• Team Leaders - of small teams

Nuggets:

• 67 pages of facts sum up 959 cases of occupational fraud
• 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
• In the U.S. that is approximately $994 Billion in fraud losses
• 25% of the fraud sample were a million plus in damages
• Tips identified 46.2% of all frauds
• Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
• Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
• Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines

Action items:

• Re-prioritize internal controls to address fraud
• Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
• Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
• Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
• Establish Surprise Audits and mandatory job rotation

Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment.  Segments may be adopted today and into the future.  In addition, the ability to eliminate subjective values in risk calculations is tremendous.

Kind regards,

James DeLuccia IV

Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston.  My session on Best and Worst IT controls is on Monday!

Two reports crossed my desk recently and I wanted to highlight a few action items based on their findings.  The first is based on data provided by Deloitte that centered on financial institutions entitled “Growing Confidence (The smart way to manage governance, risk, and compliance)“.  The second is by the IT Policy Compliance Group that included more than 2,600 organizations in the study.
Deloitte supports that GRC is a subset of a greater necessity for organizations and therefore it requires to be fully integrated into the organizations culture.  Specifically GRC goes beyond simple pizza box solutions and revolves instead around the people and behaviors.  In addition, the report strongly supports the concept that through the usage of risk management techniques organizations can take “risk intelligent” actions in the market place that otherwise couldn’t be possible - or could be done, but result in failure.  The Deloitte “book” is very easy to read and nicely broken down.  Definitely worth the time of anyone concerned with raising their business above simple technology problems to technology innovation.  GRC and governance of technology services must strive to move beyond simple change tickets to enhancing business value to the customers.
The 2008 report “IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk” provides a nice breakdown of practices and a basic maturity grid based on their findings.  The report also builds upon prior years results, so a comparison between your organization across similar time periods is possible.

Action Items to Improve TODAY:

• What gets measured gets improved - establish ANY form of measure (scorecard, six sigma, 360, etc…) and have a set number of metrics that are published to the entire business.  This will ensure that progress occurs and that feedback allows for adjustment to metrics that matter
• Sponsorship must include all lines of business leaders, and the senior management - the net effect of these improvements will lower cost, allow for more agile deployments into new markets, and provide revenue generation opportunities (this is not the responsibility or focus of technologists)
• Establish a clear feedback process where metrics (as stated above) and services are reset regularly to meet the demands of the business (Revolutions in production from factories to services are constant, and only those that evolve with the trend remain relevant)
• In 2000 companies had their stock ticker symbol streaming across the walls… today they are gone b/c that is not a true reflection of the efforts and improvements of an organization - do not fall into such trap: publish metrics that relevant to those that are concerned (customize them based on the audience)
• Embrace automation and customization to match the culture of the organization and achieve a level of confidence as the business transforms beyond its defined borders and walls

Enjoy the Deloitte Book here, and find other similar publications here.
Enjoy the IT Policy and Compliance Group report here, registration necessary.

Best,

James DeLuccia IV

A lot of individuals are as familiar with HIPAA as they are with PCI DSS. The difference is quite extreme for the reason - People are aware of HIPAA due to the privacy statement they sign when they hit the doctor’s office. They are aware of PCI DSS due to credit card breaches. The reason has been a fundamental difference between how each party has enforced discretions.

The punitive and public reprimands are minimal for HIPAA (1 public audit to date), while for PCI DSS they are generally carried on the major media channels (WSJ). Recently I came across some stats that have been published (and are regularly updated) that indicate the number of resolutions (6,467 for 2006) and the number of organizations that had corrective actions (1,571 in 2006). These numbers do not align with other public data (the Verizon data breach, the Internet Crime Report, breaches of PII), but the variance may be the result that these include only those where complaints were filed.

In addition, NIST updated SP 800-66 Rev1 “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule“. The comment period just ended, so a final version should be forthcoming. The standard is described as follows:

“NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. “

The document is a great resource for any organization that is building their global governance control environment framework, and contains additional references to other NIST documents to provide greater detail and information. In addition to this document, HIPAA stakeholders should check out the CMS documents.

Looking for others thoughts and perspectives around HIPAA compliance… the good and the bad, and any useful references.

Best,

James DeLuccia

I have been fortunate to work directly on product development of software, widgets, and service businesses and the end result is a intense appreciation for project management techniques.  Projects have failed (lack of culture appreciation, scope creep) and others have succeeded (senior executive support, cost reduction ~ grid computing metrics, short term returns) for varying reasons, but all have provided valuable lessons to everyone involved.
The American Bankers Association Banking Journal exists to help managers and executives succeed in the competitive financial services market - now more important than ever with financial market values dropping about 22% over the past 12 months.  There most recent published journal features an article that I contributed on the complexity and opportunity that exists for project management for technology groups that seek to provide true business value.  Check out the article, The Case for e-Project Management here!

Projects can only succeed when the right information, people, and culture are in place… some good self evaluation questions that you need to consider include:

• Is the technology environment capable of meeting the business objectives?
• How is the costs of these projects and the existing technology resources allocated and linked to business revenue generation?
• How are current projects measured?  (To that point  - How are past projects measured?)
• How have the project goals been communicated, and is the messaging understandable for each party involved?

Management and practitioners must consider the importance of technology environment projects - such as achieving PCI DSS compliance within 6 months or revamping your technology control environment to reflect the global threat of fraud, and establish a successful roadmap that appreciates the culture of each organization.

Other thoughts?  Favorite lessons?  Please share…

Best regards,

James DeLuccia

** Join me at the ACFE 19th Annual Conference in Boston, July 14th!!