Payment Card Security & IT Controls Explained

I recently spoke on the best practices found within the PCI DSS and networking security practices.  The audience represented both providers of payment transactions, retail services, and banking solutions.  The singular focus provided a forum to dive deeper into the security and compliance intents of PCI DSS while not damaging the worth and importance of the other sections (a common result of focusing on singular areas).
Given the presentation is not available publicly online, I wanted to list the key points highlighted below.  As always, please contribute and expand on any area that you have experience or curiosities.
Key points to consider include:

• Defining the boundaries of the sensitive data, and subsequently for auditors and managers the scope of the audit and control environment.
• Addressing specific lower limit control practices
• Establishing a monitor / feedback system
• Usage of Compensation Controls

I will briefly expand on each of these central tenets…but of course, please do dig into each area - there is simply not enough real estate here to adequately cover all aspects.

Scoping and Limiting Key Controls:

• Establish Segmented environments, and utilize sufficient authorization and access control technologies
  • For example:  Separate POS network from common network through firewalls and such

Procedure Practices:

• Maintain secure configurations - develop them based on a plan, validate they meet objectives through 3rd party method, restrict modification while in the field, and update consistently
• Take advantage of self-evaluation opportunities to strengthen control environment and supportive documentation.

Monitoring Controls:

• These are successful when the scope is reserved, the notifications are accurate, and there is consistent follow-through from all aspects of the organization

Compensating Controls:

• The PCI DSS recognizes some organizations have robust controls, but may not precisely identical to those advocated… if the intent is met than submit a request for an exception to a specific control.
• Precedent exists and it is prudent to integrate only supportive and not duplicative safeguards

As always, please vet your organization from its own unique perspective.  I firmly believe that organizations should regularly evaluate their own business procedures (including processing cardholder data), and if necessary to integrate and not add-on the PCI requirements.

Kind regards,

James DeLuccia

I woke up this morning and was encouraged to see the FTC continue on its efforts to monitor the technology safeguards of companies in at least a consistent and security-risk minded approach. Now, while I am not a fan of unnecessary regulations and always feel a healthy bit of regular evaluation and expiration is necessary, it is suitable for companies that clearly do not abide by best practices are more closely supervised. This ruling by the FTC is consistent with that which was ruled for ChoicePoint in Georgia.

An interesting point is the scope of the required audit (physical safeguards through digital) and basic controls referenced under PCI. Specifically the FTC charged that TJX:

• “Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
• Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
• Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
• Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
• Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.” Press Release by FTC

The additional news, and expected given PCI DSS policies, on the release was that the company would undergo regular future audits separate from the government audit that will extend for 20 years.

Catch the full press release here, the Choicepoint ruling here, and the WSJ article here.
Please post any other articles that expand on this… or your thoughts if the FTC is the right body to do this type of monitoring, as it has been a twist on their established authority.

Best regards,

James DeLuccia

There have been recent attacks that threaten the physical integrity of systems, but can be mitigated through the adherence to PCI DSS, and increased vigilance.  The recent news stories on Firewire exploits, RAM downloads, Full Disk Encryption weaknesses, and magnetic access card vulnerabilities highlight the necessity of a review of the PCI physical and monitoring safeguard requirements that mitigate these risks.  There is plenty of technical discussion and Proof of Concepts on these attacks, and it is important that we understand how they threaten our card holder data and enterprise viability.

Requirement 9 states “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. ” (PCI DSS v1.1)

• Section 9.1.1 (video monitor sensitive areas) would detect attackers accessing your sensitive servers and secured workstation areas that contain cardholder data - a good detective control for the Firewire, Disk Encryption, RAM, and Magnetic Card reader attacks
• Section 9.2 (Identification) control would contribute to detecting someone bypassing the access control doors if the office was small, or the identification used color codes that signified what employees have access to what areas.  (The need for unique identification for employee access levels is that visual access and duplication of one badge is easy, but having the correct type of badge in the right area is more challenging and raises the likelihood of detecting an unwanted guest).

Requirement 10 states “Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.”

• Section 10.2.1 and 10.2.4 require use to maintain audit logs of events for all users and on systems that contain sensitive data.  This would provide rapid identification of unauthorized attempts due to the magnetic card attack.  Usage of triggers would ensure that actions may be taken promptly and through regular review as required under 10.6.

I further investigate this topic of controls and hardware based attacks at IT Compliance and Controls.  In addition I spend a great deal of time analyzing these vectors and the necessity of proper controls under Principle 3 Access and Authorization and starting on page 173 of IT Compliance and Controls - Best Practices for Implementation (my newly released book).

Please feel free to add comments, additional controls thoughts, and any other approaches that these safeguards manage the risks to our organizations.

Best,

James DeLuccia IV

Upcoming Speaking Engagements:

• Please join me at RSA 2008 for my session on: Emergence of international regulatory synergies
• Please join me in Boston, for the Association of Certified Fraud Examiner’s Conference with my session on:  Worst and Best IT Management Practices

The PCI Security Standards Council today released several important documents today. Every Merchant, Service Provider, and risk manager should review these publications. The official Press Release “PCI Security Standards Council Issues Updated Self Assessment Questionnaire“. A quick overview of each:
A Guidance document - “Understanding the Intent of the Requirements, v1.1“

• This document provides much needed elaboration in the form of “Guidance” for every PCI DSS control requirement. For instance, the standard requires a quarterly review of the firewall and router rule sets (1.1.8), and the new guidance now expands on what this opportunity allows - clean up, removal of incorrect rules, sufficient time to balance rules with business.
• The guidance document is 45 pages in length and available at the PCI site

An updated SAQ Package has been released. The Self Assessment Questionnaire originally was a single questionnaire list where companies of all types (Merchants, Service Providers, etc…) were required to complete. The new release of documents today provides greater explanation of how SAQ is part of the PCI DSS, and provides unique SAQs depending on the organizations business structure. There are now five types of questionnaires that may be completed:

• SAQ Validation Type 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
• SAQ Validation Type 2 Imprint-only merchants with no electronic cardholder data storage
• SAQ Validation Type 3 Stand-alone terminal merchants, no electronic cardholder data storage
• SAQ Validation Type 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage
• SAQ Validation Type 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

In the SAQ Instruction Guide pages 6-7 provide a nice common-sense approach to minimizing the impact of credit card processing and simple means of reducing the risks.

As in all new releases, read each document yourself and then prepare a distilled version for internal parties and your business partners. In addition, all SLA and contractual agreements should be reviewed and any necessary communications should occur to update the business operation thresholds. These documents contain important clarification and have been tuned to be more reflective of the business itself, so it is important to leverage these improvements and provide feedback to the Council.

Michael and others have some good tid bits posted about the new standard. Definitely check them out (Especially check out pcianswers to find out a good nugget on Compensating controls) Thanks to everyone out there making a better transaction environment!

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today

VISA announced today that the majority of their merchants were PCI DSS v1.1 compliant. Specifically, 99% of Level 1 Merchants and 92% of Level 2 Merchants have met compliance or have submitted an approved remediation program. This is a huge increase in compliant organizations year over year, and much congratulations is due to the merchants and Visa who worked to get this done. A fortunate by product of this is, hopefully, we will see some similar successes and releases by the other four card associations that make up the majors. It is important to realize that Visa is only one of the four, and the others are just as important to ensuring consumer confidence, and eliminating credit card / identity theft through the payment transaction system.

In addition, I found a study released showing that those organizations that are PCI Compliant have a lower instance of fraud, as a result. This is in line with my earlier article here and here at IT Compliance and Controls.

Well done Visa and the associated merchants in this release, and here is to making 2008 a far better year than 2007 for online security and consumer credit card confidence.

An article on the press release and its impacts on consumers and merchants is available here by SC Magazine, and here.

Best,

James DeLuccia