Payment Card Security & IT Controls Explained

“Medicine rarely tastes good. The introduction of Sarbanes Oxley was, for many, accompanied by significant distaste for the idea. In the longer term, it does appear that those institutions exposed to the rigours of more exacting compliance regimes have made more progress with developing integrated governance and controls frameworks.
Financial institutions in the western hemisphere are ahead of their eastern colleagues. Our analysis shows only a quarter of financial firms operating worldwide have a reasonably integrated compliance and controls framework – all of these firms are from the west. These results suggest there is much to do in the Asia Pacific region both in continuing to create regulatory regimes and continuing to raise the quality of internal governance and control systems. “

A published research study by Deloitte, quoted above, highlights the importance of integrating compliance, governance, security controls, and risk management into a enterprise control environment.  The economies of scale translate to approximately 2.5% difference in expenses incurred, and at current $78 billion in expense that is a material impact on any companies bottom line.  In addition, “Banks, insurers and investment banks have all seen the costs for governance and control rise by around a third between
2003 and 2006.”
Check out the article here, and consider how integrated is your control environment?  Have you eliminated the silos that manifest themselves over time?  Are you leveraging the full value of your technology infrastructure, your licenses, your power consumption?

Always Curious,

James DeLuccia

The second day of the conference was excellent. Everyone I spoke with regarding the speakers, topics, and materials thought day 2 was the best and blew away the first day. I had the privilege to attend several sessions that focused on Corporate Governance, Audit Committee Oversight duties, Fraud Risk Assessments, and Effective Audit techniques. I was unable to attend the full day on Wednesday, Day 3, but was able to enjoy Ed Robinson’s presentation and a thorough breakdown on the Foreign Corrupt Practices Act (FCPA). I will post my notes from the conference in sections given the need to digest all that I heard prior to posting:

“Structuring an Effective / Comprehensive Compliance Program“, was presented as a panel discussion that included several notables on the panel to include - Ryder, OCEG, Turner, and Southern Company.

• It was noted that SOX provided several benefits - attention and resources around the existing compliance program and the motivation to mature. Second, SOX identified how weak many of the technology controls were surrounding the controls of the financial reporting systems.
• A study from the OCEG was presented with several trends and statistics (Available - Check out this post for the OCEG and many more):

• The Status Quo in organizations is the existence of SILOS (Finance, HR, IT) on the management of compliance and control requirements
• Technology solutions are trending to bridge these SILO gaps and create a central management approach
• 2/3 of companies were found to be adversely effected from redundant/duplicate controls. These included:

• Pain of reconciling disparate data
• Difficult to find the truth

• • 1/2 of all identified failures caused harm and damage to the organization (deficiencies), but these effects were short lived and the memories were quickly forgotten in the organization.
  • Only 14% of respondents had integrated their compliance programs
  • The overarching theme that resonated from the study was the need for consistency and accountability

• Compliance departments must not become the Department of NO. (A role that IT Security once held, and in some cases still holds)
• The existence of a Chief Risk or Compliance Officer is attributed to the FSG (Federal Sentencing Guidelines)
• General overview of the FSG (Mainly pulled from Chapter 8):

• • Possess good policies and procedures
  • Assign a responsible party (Compliance Officer)
  • Existence and presence of a program
  • communicate / Publish / Train on program
  • Enforce the Standards
  • React and address problems
  • “Effective” as defined by the FSG is a program that has the ability to identify and prevent criminal activity
  • Note: The government does not care how much was spent on a safeguard, but only that it is effective - business perspectives must be considered
  • FSG is not a compliance or standard for an organization, but should be incorporated to ensure that the organization is both protected and due care is taken for the personnel

• Challenge of Ethics

• • Organizations can choose to accept fines for non-compliance if only direct costs are considered
  • Ethics are decided based upon social duties, doing the right thing, and based on the maturity of the business

• When dealing with auditors, create a relationship and seek to understand the intent of the effort

• Understanding the reasons information is sought allows for the organization to provide the correct information.

• OCEG - the Red Book published in its current form has recommendations on establishing a compliance program
• The risk faced by an organization can come from a number of areas and must be centrally responsible to a core group, i.e. the Compliance group. These risks may be categorized as environmental, compliance, people, ethics, regulations, and business
• A simple method of gaining acceptance by business parties is to first identify the risks (see categories above), second vet these against a formal corporate compliance steering committee (vet and weigh the risks), third give business another pass, and finally compare these digested risks and ratings against any multinational rankings.
• Benchmarking is very important to ensure a business is not over spending or falling behind in the technology innovations. Benchmarks can be gathered through OCEG and public surveys.
• Several Studies were recommended to include:
  • The Conference Board - a Global Study
  • The Conference Board - Emerging Governance Practices in Enterprise Risk Management
• A common refrain by the panel was that compliance programs should promote the delivery of advanced information on compliance to satisfy the concern of management, the Board, and the Audit Committee
• Some takeaway tips from the session:
  • Develop an Agree Upon Procedure process for GRC
  • Define hard metrics for a framework - consider OCEG Red Book
  • Become certified - whether by ANSI, OCEG, or others
  • A tip by the OCEG spokeswoman was that everyone should join the OCEG study survey process, because all participants get a free customized report that provides benchmarks based on each survey.

Benchmark, Benchmark, Benchmark:

• There are some statistics that are not easy to locate and absorb into an organization for comparison that are timely or complete, however a great tip provided by the panel was to look after bad reports!
• Bad compliance or failed audit reports that are made public in proxy filings and by government agencies contain huge amounts of information on what was done wrong - Fannie Mae (348 page report worthy of any good flight across the pond), Boeing, CA)
• Take advantage of free webinars to learn about latest interpretations of laws and requirements

The greatest theme that resonated throughout this session, one-on-one interviews and discussions I had, and those of other sessions can be summed up in the following points:

• Seek to understand an organization’s culture - even transformational leaders must understand where the river flows before effecting change.
• Identify areas of value from the compliance program beyond avoiding fines, and contribute to the mission of the business
• Risk Assessments (of all risk categories) are a necessary starting point before any audit and monitoring is possible.
• Communicate in a language that can be understood - and gain a presence with the Directors and executive management.

A huge overview, and I hope some value to anyone seeking to hone their compliance programs. There is a tremendous amount of thought leadership in this area, and I encourage anyone to contact me to discuss these points.

Best regards,

James DeLuccia IV

Ernst and Young’s global survey released today indicated that despite popular press and political dancing (Paulson Interim Report, Bloomberg/Schumer Report) the U.S. IS, in fact, competitive. This is despite the existence of a strongly regulated market, and one where SOX, at full strength, did not, apparently, hurt the US. market prospects. The study showed that the U.S. generated the largest number of IPOs in 2006, and raised $34.1 billion dollars.

In addition to a stellar 2006, 2007 is working up to be another blockbuster year with the first quarter opening strongly. Plus massive private-equity IPOs (Blackstone, Carlyle, etc…) can only bolster the market as a whole new type of financial industry comes online.

“The fourth quarter of 2006 was the busiest for IPO activity by U.S. companies since 1999, raising $12.4 billion in 72 IPOs,” said Maria Pinelli, Americas Strategic Growth Markets Leader at Ernst & Young LLP. “In 2007, U.S.-based company activity continues to feed into the U.S. stock markets, which also attract key international IPOs, particularly in knowledge-driven sectors like technology and healthcare. Deal sizes are larger than ever and private equity is backing many of them.”

E&Y has some great additional details regarding the study, and I encourage everyone to review the data. The importance of this information is it represents a quantifiable demonstration of the impacts from a heavily regulated financial market and the preference of companies to “go public”.

The past several months have seen massive debate regarding regulations such as SOX, and their negative impacts. These papers, while supported by well researched financial data, are not consistent with the market performance and entrance of companies into the public markets.  A simple search via Google news will present the volumes of debate regarding SOX and competitiveness in the U.S.

The takeaway - Companies are going public in the U.S. with a heavily regulated environment. The U.S. markets may be more expensive to operate within as a company, but the upside from massive amounts of equity and a more transparent operational norm appears to be better for everyone.  This conclusion has also been supported by several academic studies recently highlighted at the WSJ.

A tangent from internal controls, but highly valuable as the question of regulation and controls comes under fire.

James

As the hundreds of non-rss readers know, a few days ago I switched the theme of this site to a simpler and easier to read layout. So, if you were tired of the dark fonts and murky background please come by and let me know your feedback. I will still focus on PCI DSS, of course, but will be continuing to expand the topics covered on this site to include global IT control regulations. What does that mean? Well, any standard U.S., EU, and anywhere else will be given some room. I will attempt to not merely repeat the obvious when news breaks, but instead focus on posting intelligent perspectives on the changes around the world.

Another change to the site is the “NEWS Feed” on the right hand side of this site. Please check it out, and feel free to set those as an RSS feed too. The NEWS Feed is my filter on what is important around the globe on the above topics. I sort through literally hundreds of posts, news items, client emails, and service provider information in an attempt to clear out the noise.

It is a new year (my fiscal year clearly is not following the Dec 31 date), and the plan for this site is simple. Keep posting helpful information whenever possible, and don’t simply post to post. On a personal note, I will update the Press Release page and About soon - and look forward to everyone’s comments and suggestions.

Always,

James DeLuccia IV

[Updated as of 2/1/07]

I have been following this debacle with TJX that had “‘a limited number’ of individuals had been stolen from the compromised system. And by ‘limited’ we mean substantially less than millions,” said McConnell number of accounts stolen. Supposedly from the news sources the intruders had access to not only credit card processing systems, stored data, but also the financial accounting systems. Up to this point the impact and damages are spreading with each passing day, and I imagine this will encourage greater adherence to the PCI DSS. It is unfortunate that it requires incidents like CardSystems and now TJX to really gain acceptance, but at least we are there.

Another point that concerned me over the TJX situation is their ability to vouch for their financial statements under SOX and international standards. If they truely did not have control over the environment, then I imagine it will be hard pressed for any auditor to put his name down without an exhaustive walkthrough of every financial transaction. It is interesting that there has been zero discussion of these types of concerns in any of the media outlets.

I typically work with clients that are in these situations, or as an advisor to ensure these such events never occur - the absolute security success measure: Your client is never in “the WSJ” for these situations. Being that I have no direct contact with TJX I have refrained from speculating or publishing post-mortem thoughts and actions. That all changed when I saw that this very severe situation was pushed to the Personal Technology section of the Wall Street Journal (”Wide Credit-Card Fraud Surfaces in TJX Hacking” by JOSEPH PEREIRA January 25, 2007; Page D3) To that point, I will make this post an accounting of what is known - and what this may mean in the long run. I will be sure to provide references to sources, as I am able. I hope this condensed accounting presents a clearer picture of the true importance of compliance with PCI DSS, and for that matter maintaining a strong Control Environment for both your customers, employees, and shareholders.

#1. There was a breach, but were the accounts used or merely misplaced or stolen by some kids in VA?

According to MBA spokesman Bruce Spitzer “…hundreds of thousands of customer accounts …” These accounts were stolen, most likely sold, distributed around the world, and are being charged up at this moment.

#2. Where are people using these fraudulent accounts? (Is it in my backyard?)

According to the WSJ article - Multiple States in the U.S. (Georgia, Florida, and Louisiana - updated), Hong Kong, and Sweden

#3. Who was affected by this breach? Domestic? International?

Reports state that the systems affected were the systems that managed the return merchandise. (Update 2/1/07: Driver’s License information also stolen. Update 1/30/07: Credit cards, Debit Cards, and CHECK information was stored, and subsequently stolen) Reports show that customers within the United States and abroad (Canada) have already been affected, or alerted to be wary of their credit (United Kingdom).

#4 I thought PCI DSS stated that records should be wiped of a sensitive nature - given a reasonable amount of time for processing (i.e. seconds). How wide is the timeframe at risk by this breach?

“Chairman Ben Cammarata says information on transactions made between May and December last year may have been accessed…” JD: That is well beyond any allowable standard, and certainly not within the limits of PCI DSS. A great follow-up question would ask why they kept such data online for such a long period of time

#5. Advice Good and Not Great - in any event like this breach individuals offer their wisdom, and sometimes it is not quite right. So be wary of those that make curious guarantees, or they may offer you some tulips for your trouble.

Quoted in its entirety: “David Roberts, chief executive of The Corporate IT Forum, says it appears the retailer may have underinvested in systems to protect information. ‘I do not know of any other retailer that has suffered a similar attack in recent years. It will require a major revision to ensure its systems are foolproof,’ he said.” JD: Emphasis added.

The reality is their is no foolproof system that they can employ to prevent this attack from happening 100% of the time. They can layer technologies with procedures, and through this effort make it worthless to try and exploit the system. The simplest approach is to make the data inaccessible - either delete it, or encrypt it (Please choose a vendor responsibily as each has features that allow for seamless integration).

#6. Exactly how many accounts were stolen?

A news agency has reported that “millions of customers’ financial information…” — credit cards, debit cards, even checks.

200,000 accounts have been identified in Massachussets alone as being compromised.

#7. Why did TJX take so long to disclose the situation? Why are only some banks and customers being notified?

The laws are different in every country, and it is up to the company to decide who should be notified (if at all), and in what manner. That is unless a law is in place. There are several laws that require disclosure in situations like this in the United States (30 states laws and 1 Federal I believe at last count), and the International regulations are catching on to the need.

A bit of history - CA was the only state to require disclosure of this nature w/ SB-1386. No other real laws were developed until an Atlanta based company was not inclined to warn all citizens in the United States. This action prompted 22 other states to pass legislation.

This TJX incident will be the impetus for further international disclosure laws - Canada is the first, and not the last

“The recent privacy breaches clearly demonstrate the need to address the issue of notification,” said Anne-Marie Hayden, a spokeswoman for Ms. Stoddart. “I think it’s safe to say that when the commissioner reappears before the parliamentary committee she will recommend amending [privacy laws] to include provisions that would require companies to notify our office and, of course, the individuals affected, when there is a privacy breach.” Source cited.

[Updated 1/30/07] - The breach occurred in May, and not December. The first press release stated they “detected” it in December, but now are releasing it occurred nearly 6 months ago.

[Updated 2/1/07] - “The breach affected data as far back as 2003” JD:  Sensitive data should be securely archived based on a business need.  Beyond being in absolute violation of industry best practices - this is against any good business / information security / data custodian practices.

#8.  [Updated 2/1/07]  What is the business impact of this breach?

[Updated 2/1/07]  Typically the cost involved in any breach involves the cost of replacing the consumers card, the additional manpower to bring systems up to a higher level of security (technology acquisition + consulting fees), legal feeds, press release fees, compliance fines, and of course civil action damages.  Beyond the distraction to the business and the delay of business critical projects the soft costs also include loss of consumer goodwill.

[Updated 2/1/07] Hard costs from TJX Breach:  One bank (of 240) reported it is reissuing 20,000 cards at $5 each totaling $100,000.

[Updated 2/1/07] According to Gartner a breach of this magnitude with some much disclosure, legal, and technology costs involved can reach $60-90 per account - totaling (for this single bank): $1,200,000

[Updated 2/1/07]If we consider TJX’s likely financial costs - 200,000 accounts * $5 or $60 = $1,000,000 or $12,000,000.

[Updated 1/30/07] - 50 banks alone in Massachusetts have reported being impacted by the breach - Cited

[Updated 1/30/07] - Class action lawsuit filed in Canada for negligence - Cited

[Updated 1/30/07] - Track 2 Data stored by TJX - in violation of PCI DSS - Cited

As more data and the story unravels I will try and continue posting updates. If there are other good sources - please post links below! Lets learn from this breach, and move forward stronger as a community.

James DeLuccia IV