Payment Card Security & IT Controls Explained

I woke up this morning and was encouraged to see the FTC continue on its efforts to monitor the technology safeguards of companies in at least a consistent and security-risk minded approach. Now, while I am not a fan of unnecessary regulations and always feel a healthy bit of regular evaluation and expiration is necessary, it is suitable for companies that clearly do not abide by best practices are more closely supervised. This ruling by the FTC is consistent with that which was ruled for ChoicePoint in Georgia.

An interesting point is the scope of the required audit (physical safeguards through digital) and basic controls referenced under PCI. Specifically the FTC charged that TJX:

• “Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
• Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
• Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
• Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
• Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.” Press Release by FTC

The additional news, and expected given PCI DSS policies, on the release was that the company would undergo regular future audits separate from the government audit that will extend for 20 years.

Catch the full press release here, the Choicepoint ruling here, and the WSJ article here.
Please post any other articles that expand on this… or your thoughts if the FTC is the right body to do this type of monitoring, as it has been a twist on their established authority.

Best regards,

James DeLuccia

There have been recent attacks that threaten the physical integrity of systems, but can be mitigated through the adherence to PCI DSS, and increased vigilance.  The recent news stories on Firewire exploits, RAM downloads, Full Disk Encryption weaknesses, and magnetic access card vulnerabilities highlight the necessity of a review of the PCI physical and monitoring safeguard requirements that mitigate these risks.  There is plenty of technical discussion and Proof of Concepts on these attacks, and it is important that we understand how they threaten our card holder data and enterprise viability.

Requirement 9 states “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. ” (PCI DSS v1.1)

• Section 9.1.1 (video monitor sensitive areas) would detect attackers accessing your sensitive servers and secured workstation areas that contain cardholder data - a good detective control for the Firewire, Disk Encryption, RAM, and Magnetic Card reader attacks
• Section 9.2 (Identification) control would contribute to detecting someone bypassing the access control doors if the office was small, or the identification used color codes that signified what employees have access to what areas.  (The need for unique identification for employee access levels is that visual access and duplication of one badge is easy, but having the correct type of badge in the right area is more challenging and raises the likelihood of detecting an unwanted guest).

Requirement 10 states “Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.”

• Section 10.2.1 and 10.2.4 require use to maintain audit logs of events for all users and on systems that contain sensitive data.  This would provide rapid identification of unauthorized attempts due to the magnetic card attack.  Usage of triggers would ensure that actions may be taken promptly and through regular review as required under 10.6.

I further investigate this topic of controls and hardware based attacks at IT Compliance and Controls.  In addition I spend a great deal of time analyzing these vectors and the necessity of proper controls under Principle 3 Access and Authorization and starting on page 173 of IT Compliance and Controls - Best Practices for Implementation (my newly released book).

Please feel free to add comments, additional controls thoughts, and any other approaches that these safeguards manage the risks to our organizations.

Best,

James DeLuccia IV

Upcoming Speaking Engagements:

• Please join me at RSA 2008 for my session on: Emergence of international regulatory synergies
• Please join me in Boston, for the Association of Certified Fraud Examiner’s Conference with my session on:  Worst and Best IT Management Practices

A recent article was published that proffered that companies need not hire expensive consultants to meet PCI compliance. The author goes on to detail the best approach is to first - walk through the documents internally, and second - document your controls. I whole heartedly agree that self reflection and properly recording controls is absolutely pivotal to reaching compliance with PCI, and in fact you could apply it to any mandate or legal burden.

I feel however the author has left a few rocks unturned, and wanted to highlight additional practices (demonstrated by clients in the U.S.) that can maximize your efforts in demonstrating, maintaining, and operating a compliant control environment.
Align control environments and produce a single repository:
Organizations should consider how their existing control environments are deployed, and whether other attestation events will examine the same systems. It is very likely that the identity management system, firewall, logging servers, anti-virus, etc that are identified as core controls for PCI are also applicable to SOX, FERC/NERC, and many others. So, identifying what controls are in place, and then producing a single set of audit documentation can maximize the audit engagement and remove duplication.
Consider having more than one audit at a time:
Audits are done to examine a period of time in the past to validate that the controls are operating correctly. If audit events are stretched out over several months then the test period in question shifts with the audits, and while it is good for the organization to maintain an optimal level of compliance due to these long audit windows it is also extremely wasteful. Similar to the alignment savings, having to provide the logs of your LDAP server once instead of six times has obvious benefits and results in clear savings.
Assign an internal resource to conduct your PCI audit:
Merchants required to produce a report on compliance to VISA and the other card associations may hire an assessor, OR through an “internal audit if signed by an Officer of the company“. That can translate to very large savings both in audit fees and the fact that internal audit departments (or assigned persons) will have greater knowledge of the business than an outsider. A note of caution to this saving recommendation - third parties come with experience of multiple environments (likely areas of weakness), and without assumptions made and accepted by being part of a culture within a company. Extreme diligence must be taken when internal resources are relied upon - especially if those assigned are those running the environments (fox watching hen house).

There are many other areas of savings that can be achieved for PCI, and a larger amount of practices for SOX, and others… but another time. I welcome any additional areas of savings people have seen!!

Best regards,

James DeLuccia IV

IT Compliance and Controls Book Release is March 19th 2008!! Pre-Order Today

Upcoming Speaking Engagements:

• Please join me at RSA 2008 for my session on: Emergence of international regulatory synergies
• Please join me in Boston, for the Association of Certified Fraud Examiner’s Conference with my session on:  Worst and Best IT Management Practices

In the January 2008 issue by the Journal of Accountancy had a nice write up regarding PCI, the framework, the history, how the transaction system works, the threats (including TJX) and impacts, and providing CPAs with awareness of the opportunities. The article can be found here.

It is a worthwhile read for those new to PCI, and especially for those running the finance side of organizations. The author does a nice job of summing up the main points of PCI, and addresses the topic to an audience that may not be wholly familiar with the payment industry. Other great articles are available at the AICPA site, and access to the materials are free online. Definitely take advantage of the resources at this site, as it is only with multiple perspectives can information within organizations be sufficiently secured to ensure operational efficiencies.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today

The PCI Security Standards Council today released several important documents today. Every Merchant, Service Provider, and risk manager should review these publications. The official Press Release “PCI Security Standards Council Issues Updated Self Assessment Questionnaire“. A quick overview of each:
A Guidance document - “Understanding the Intent of the Requirements, v1.1“

• This document provides much needed elaboration in the form of “Guidance” for every PCI DSS control requirement. For instance, the standard requires a quarterly review of the firewall and router rule sets (1.1.8), and the new guidance now expands on what this opportunity allows - clean up, removal of incorrect rules, sufficient time to balance rules with business.
• The guidance document is 45 pages in length and available at the PCI site

An updated SAQ Package has been released. The Self Assessment Questionnaire originally was a single questionnaire list where companies of all types (Merchants, Service Providers, etc…) were required to complete. The new release of documents today provides greater explanation of how SAQ is part of the PCI DSS, and provides unique SAQs depending on the organizations business structure. There are now five types of questionnaires that may be completed:

• SAQ Validation Type 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
• SAQ Validation Type 2 Imprint-only merchants with no electronic cardholder data storage
• SAQ Validation Type 3 Stand-alone terminal merchants, no electronic cardholder data storage
• SAQ Validation Type 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage
• SAQ Validation Type 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

In the SAQ Instruction Guide pages 6-7 provide a nice common-sense approach to minimizing the impact of credit card processing and simple means of reducing the risks.

As in all new releases, read each document yourself and then prepare a distilled version for internal parties and your business partners. In addition, all SLA and contractual agreements should be reviewed and any necessary communications should occur to update the business operation thresholds. These documents contain important clarification and have been tuned to be more reflective of the business itself, so it is important to leverage these improvements and provide feedback to the Council.

Michael and others have some good tid bits posted about the new standard. Definitely check them out (Especially check out pcianswers to find out a good nugget on Compensating controls) Thanks to everyone out there making a better transaction environment!

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today