Entries categorized as ‘PCI DSS’
Inspired by “How Anonymous Do Businesses Need to be?“
I recently had the opportunity to lend my thoughts around this topic and was included in the article. The article is here by Lora Bentley, who writes some interesting articles and I highly recommend reviewing her prior work. Below is her question and my response:
“…when and why companies (as opposed to individuals) use such technology as that provided by Tor or Anonymizer and…whether businesses find such tools to be valuable.”
My Response:
The use of such technologies, bleeding edge on concept and application, have proven themselves over and over again. Consider the use of bitTorrent – where some companies are using distributed files to load patches across tens of thousands of systems with a small impact to the network vs. a standard Microsoft patch system. Also, there is the example of firms leveraging P2P for video transmissions within a Fortune 50 company to push training and corporate messages around the globe.
The use of such tools provide a level of security and are very valuable to organizations that deal in research and highly competitive industries. For instance, in the manufacturing space (a former life) we had the research, design, and test systems walled off with concrete and had strict access control rules. Today the public internet is heavily leveraged and end-users (researchers) operate around the world in some unsafe (Coffee shops, and certain Nations) networks where eavesdropping and monitoring are highly likely. The simple observation of an employee’s Google searches and frequent websites would be enough for corporate espionage specialists. In addition the usage of such privacy approaches is valuable for corporate research where the end-point servers are recording who/what are visiting, and this further eliminates an available avenue of information.
In the end, the usage of leading technologies within corporations will occur. The usage of Tor and Anonymizer (examples of only a few in this arena) provide exceptional safeguards for research and market testing facilities not widely available today.
Now writers do not have a lot of space and must keep a topic concise and digestible; however, I do feel like my response deserves a bit more expansion to ensure I am clearly understood, so I have provided it here for all to comment, question, challenge, and such.
What other technologies fit this category? How do we handle these around IT controls and within the PCI DSS space?
Best,
James DeLuccia IV
Categories: IT Controls · PCI DSS
This week I sat through undoubtedly the best education I have had surrounding the payment industry and specifically PCI DSS. The training was provided by the Aegenis group for the Society of Payment Security Professionals – who include note worthies such as Michael Dahn of PCI Answers.com, and Chris Mark. The training was three very full days and covered their two subject areas – the Auditor and Manager portions. There is a fourth day that is made up of just under 5 hours of testing, so not really a day of learning but demonstration.
To provide some context here I need to highlight that I have attended the Visa QSA training, ETA training sessions, RSA VISA conference hall sessions, third party PCI training, and have even delivered PCI training. The attendees were a diverse group that included QSA, Acquirers, Issuers, ISOs, Merchants, and a variety of others. The group made the breaks tremendously valuable and really added to the course. Despite being a very full room and a three solid days of material and learning, I was very pleased with the material, presentation, and experience.
A bit of detail for those that deal with payment card information and would like to minimize their risks and maximize their operating budgets:
Auditor section (CPISA)
- The training is broken out for technical and manager / operators
- The auditor portion was very technical, but not in the biased security way that some courses provide
- The auditor section provide great detail on what should be in place and how to ensure compliance with the payment industries concerns (not solely that of PCI DSS)
- The auditor certification exam was moderately difficult for me, but less than others given my experience. Of course, this is all just optimism given the results take several weeks to be calculated!
Manager section (CPISM)
- This section was tremendously valuable – focused on the macro effect of having sensitive data and what strategically needs to be done
- That isn’t to say this was fluff – there was a constant flow of practical details from current challenges
- There was plenty of detail around the contributing regulations ( a personal passion of mine) that impact PII and these businesses
I can’t say too much given I signed a privacy and confidentiality agreement, but the bottom line is simple. If your business stores, processes, or transmits credit cards OR your business makes sure companies do not have security concerns for those systems you must take this training. The certification exams are extremely tough, the material is based on thousands of pages, and the days of training are the primer for your further education. Those who showed up to this training without preparation weren’t able to dive into the deep problems.
Enough of the payment industry for me this week. For a bit of variety check out this new breach involving ‘entities’ trying to hack into the candidates’ systems looking for a leg up on policy.
Fresh from Dallas,
James DeLuccia IV
Categories: PCI DSS · audit
So, there are tremendous implications for their business model, but to place the spotlight on one area lets focus on data security and regulations (my favorite). AMEX is one of the organizations that built the PCI DSS, PCI SSC, and all recent publications. The intent of PCI was to have industry forced mandates that protect cardholder data. As private companies, Visa and MasterCard, had a lot of leeway on how they handled operations and were able to contain the management of requirements. Given the IPOs of these two associations, and now AMEX becoming a bank does present a future that is far different then it was 3 months ago and 12 months ago.
Banks are regulated under extensive regulations and there is substantial information surrounding the safeguarding of data through information technology controls. The FFIEC books are world renowned for their coverage in this area. In addition to these known requirements there are additional third party requirements that will be introduced. If anyone has done with a financial institution that is required to abide by GLBA, they know that they too must satisfy the requirements.
My highlighting of GLBA and regulatory leakage (when requirements of one trickle down into other sectors of the economy – SOX anyone) is that while PCI DSS is here to stay, there must be greater forms of validation surround Information Technology and Controls. Those who operate within the payment industry would be strongly advised to continue to practice PCI DSS, but also maintain a more holistic view of contributing and supportive regulation mandates to ensure smooth operations in the near future.
Other thoughts on how AMEX becoming bank will impact business?
Kind regards,
James DeLuccia IV
Event Update: BOOK Signing, Free Tastings, and such at Starbucks 1400 Dunwoody Rd, 2-4pm Nov. 23rd. (there will be prizes, so feel free to stop by even for just a moment!)
Categories: Compliance · IT Controls · PCI DSS · Payment Card Industry Data Security Standard · Sarbanes-Oxley · regulations
November 6, 2008 · 1 Comment
Organizations that have to comply with PCI DSS have undergone at one time or another a Automated Remote Vulnerability scan, as required for all Public Internet Facing IP addresses that cater to the payment transaction systems. However most would also agree that the assessments are not thorough and do not indicate a secure website or set of applications. I have written about that here, and instances of companies that were vetted by such remote companies still being hacked is widely publicized. So, most organizations employ web application penetration assessors to conduct thorough evaluations for these applications.
What is the difference between these engagements? The difference is huge:
ASV Scans are basically a remote application checking for widely known vulnerabilities and misconfigurations. Some web application weaknesses are identified (automatically), but nothing to the degree that the application may become unstable during the tests. These last a couple of minutes and cost approximately $1/IP up to $100/IP.
The web application assessors are human beings that intelligently vet the applications in their entirty. Note this is done remotely just like the ASV effort. The difference is that this type of engagement is at least 3 DAYS, and can cost as little as $2,500.
Clearly they are massively different, and the organizations shall always rely on the work of the assessors work above that of the ASV. What I would suggest is that organizations that are paying for both should be able to submit their assessor report as a satisfactory ASV report.
Just a thought. Bottom line – companies should have an assessor truly vet their applications to ensure that they are SECURE and resilient to attacks. ASV costs are low enough to be done despite their lack of rigor.
Kind regards,
James DeLuccia IV
On a side note: A book signing will be held on November 23rd at 1400 Dunwoody Rd from 2-4pm. Come by for free tastings of my favorite coffee shop and to chit chat about the book.
Categories: PCI DSS
In a nice article on Tech Target John Kindervag, a wicked smart guy, provides a recap of his presentation given at the Forrester Security Forum 2008, entitled “The Inside Story of PCI: Confessions of a QSA.” John provides some very pragmatic steps to addressing PCI (and others can equally apply – SOX, HIPAA, BASEL, IFRS) compliance. I felt John had some good points and have added my comments below:
To narrow down the scope of PCI, companies should first segment out network systems that contain credit card data.
I agree with a contingency – that the business examine HOW business processes are operating and designed. This is a natural by product of a deep control evaluation due to the nature of interviews and bringing together teams. Segmentation and reduction in the number of steps / systems / processes provides immediate cost and time advantages.
“Compliance is a marathon; A never ending marathon,” Kindervag said.
I completely agree! I would add, and for those who have experienced a Marathon training program will agree, that preparation is the key to achieving this level of compliance. It is not enough to simply create a 1 year budget, knock out the requirements by buying tech / consultants, and forget it year 2,3,N. Instead treat this as a line of business – one that is regularly measured, funded, and improvements are required of the new LOB. Treating compliance in this manner will establish a culture that integrates compliance needs into the core of the business without having the teams to become exhausted from sprints and emergency efforts.
“The only way to indemnify yourself from fines is to be compliant at all times,”
This one is tricky because it requires firms to be continuously testing their control environment to demonstrate compliance. The technology exists today to provide this capability, and certainly the benefits are obvious. Firms should work on automating triggers and alerting systems that initiate response teams in the event that a control environment violates a compliance mandate. This will ensure PCI DSS compliance is maintained. In addition, ensure that both the preventive and detective components of PCI are in place.
Next, conduct a gap analysis. Focus on wireless, Kindervag said
Wow, yes and no. I agree the gap analysis a proper step, but focusing on wireless is not the critical path in achieving and continuously maintaining a compliance and secure environment. Wireless is important, and has been the source of problem for some folks, but following the risk based approach article I would recommend isolating the transmission and storage of card holder data. Meaning – establish trusted path first, and this will cover wireless as a by product.
A nice article and John raises some very good points. John sums up PCI and safeguarding data through segmentation in a simple quote, “PCI is a communicable disease.” Email your Forrester contact for a copy of the presentation. Check out the article, as he raises something near and dear to my heart – creating a collaboration platform that creates transparency and a vehicle for accelerating compliance.
Kind regards,
James DeLuccia IV
Categories: Compliance · PCI DSS
