Tag Archives: qsa

New and Improved OWASP Top 10 and its effects on PCI & IT Controls

On April 19, 2010 OWASP released the final version of the world renowned Top 10 list.  While the updates are not a surprise given the lengthy discussions and feedback that this updated list received it will have an impact on organizations worldwide.  In the world of payment card transaction security the standard directly states under section 6.5 to rely upon the current version of OWASP Top 10 for meeting the web application safeguards requirement.

Beyond PCI DSS there are other industry standards and organization practices that rely upon baselines, such as OWASP, to focus security efforts.
Organizations should take this opportunity to…

  1. Evaluate their Information Technology governance programs,
  2. SDLC,
  3. Change Control,
  4. Secure Coding training,
  5. Secure Code testing,
  6. Attack detection/prevention technologies

…to ensure these risks are incorporated and operate effectively.

The 2010 OWASP Top 10 include:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

Please visit OWASP to take find more tools and great discussions on web application security.  Contributors are always welcome and there are chapters around the world.

Here is a link to PCI DSS
Here is a link to the OWASP Top 10 PDF


James DeLuccia

Visa Europe on Data Field Encryption, PCI DSS

This month (March 2010) Visa Europe released a full guidance document on Data Field Encryption: Device and Key Management Guidance.  This relates directly to “end-to-end” encryption, “point-to-point” encryption or “account data” encryption and the process of securing transaction data in transit and in storage.  This has been a critical focus of the payment card community.  A nice article highlighting the benefits of this guidance document and endorsements by major organizations in Europe can be found here.

Simply put though, the guidance provides 71 pages of excellent specific data on what these technologies should be doing at minimum.  This provides operators and auditors with a tool to compare equally the unique solutions being deployed globally, and a common baseline of control safeguards.

The full guidance document may be downloaded here.  A direct link to the PDF is here.

Please note this is focused on Visa Europe.

Thoughts and concerns with this guidance and / or the technology?

James DeLuccia

My Thoughts on the Federal Reserve Workshop paper with Heartland Payment Systems

Heartland Payment Systems: Lessons Learned from a Data Breach (Published as a discussion paper, by the Federal Reserve Bank of Philadelphia).  In this discussion paper, Senior Industry Specialist Julia Cheney summarizes a workshop hosted by the Payment Cards Center on August 13, 2009. The workshop examined the changing nature of data security in consumer electronic payments. The center invited the chairman and CEO of Heartland Payment Systems (HPS), Robert Carr, to lead this discussion and to share his experiences stemming from the data breach at his company in late 2008 and, as important, to discuss lessons learned as a result of this event.

Mr. Carr, CEO of Heartland Payment Systems (who suffered a data breach over many months and exposed nearly 100 million accounts in 2008 is also a highly successful processor), highlight the need to disclose the methods and techniques employed during successful attacks (internally to the QSA / PCI / Auditors and externally to other financial institutions).  While my preference for disclosure may be broader to include the merchants and other parties, as this information can be communicated without exposing competitive information.  These attack details can be used to pragmatically improve by the PCI DSS and in-operation business environments.  The lack of such intelligence only makes an attack cheaper for the attackers, as they can reuse code and techniques.

Mr. Carr makes it a point to highlight that 7% of his information technology staff are focused on Information Security.  An interesting question / metric would be – is this sufficient? While I am certain that programmers, technical business analysts, web designers, and all levels of operational IT teams have a job description stating that they practice good security practices – how can this be managed and improved via metrics?  [Not a judgment, but an open question for thought and reflection]

Mr. Carr made several instructive observations:

  1. Do not underestimate the insider threat  – I agree with this, but beyond his focus on internal employees inadvertently creating risks.  Insider threats can be machines that they themselves have been compromised and are untrusted.  These beachhead systems in less restrictive environments are able to easily capture data in transit, and seek out the data at rest.  Therefore all systems connected within an “open” network must be considered untrusted, and has been the running definition under PCI DSS.
  2. Ensure the appropriate audit scope – ABSOLUTELY, this is a must and falls on both management and the auditors on hand.  The audits are a demonstration of management’s control environments.  So, it is in the interest of both parties to be open and honest with each other.  Cooperation and not opposition is the only meaningful way to evaluate and improve business operations.
  3. In House Security – I agree that top-level oversight is needed.

Mr. Carr goes on to saying

“…security protocols must be universally applied and enforced among all employees, at all levels of hierarchy and across all departments. Ensuring that auditors have a wide scope to review systems for security vulnerabilities is also important to identify situations, such as happened at Heartland, in which fraudsters were able to penetrate the processing systems by first compromising another, separate network, in this case the corporate network. Finally, security expertise and strategic planning are critical skills that should be emphasized at the highest levels of the corporate structure.” Page 8

The remainder of the paper provides a nice overview of 3 payment card solutions for data in motion security – End to End Encryption, Tokenization, and Chip Technology.  I won’t elaborate here, but certainly worthy reading for a summary explanation of each.

I agree with Heartland’s approach of proactiveness, and hope it will lead to similar efforts that raise the entire security baseline within the payment card security space.

It is important to highlight though the need for full security – security only in one section of a network is reckless if there is not physical separation both in staff and systems.  Good security and the resulting compliance is achievable, and as Mr. Carr highlights it can be good for business.

Other thoughts and takeaways?

Here is a link to the group Mr. Carr referred to in the article.

Also, a big thank you to the Federal Reserve and Heartland for putting this article online – link to Federal Reserve and direct link to PDF.


James DeLuccia

How to choose a PCI DSS QSA Auditor!!

Don’t choose the lowest bidder when you are seeking the best QSA to do your onsite PCI DSS audit.  This is not an article to inflate the costs of validating your compliance program, but instead intended to LOWER the cost of the PCI onsite audit.

While giving training this week on PCI DSS a great conversation developed where we outlined what should be strongly considered when hiring a QSA for the business.  Below captures the conversation that will surely continue:

  • Selecting a QSA auditor should be done in partnership with the Internal Audit team, the Technology leadership, and the Relationship manager (or person charged with ‘owning’ the payment transactions within the business).

There is not a lacking of audit firms that are willing to do the work so a witling process is necessary:

  • Consider geographic location – you want one that is local or has resources local so you can have plenty of face time without incurring burdensome travel expenses
  • Consider the firms experience in YOUR line of business – request a specific client reference that you can speak with before signing an agreement
  • Request that the firm explicitly list the auditor by name / certifications on the contract to ensure you can compare equivalent contract proposals
  • Require a process flow on how INTERPRETATIONS will be approached, and their process for handling disagreements with these interpretations.  Remember the QSA is charged with the subjective portion of determing the controls to be valid, so you need to be sure there is a process with reasonable qualifications on both sides of the table to ensure you have a workable process
  • Require a breakdown of how they will handle prior QSA work.  Will they use it; will they accept it; what will cause prior work to be considered non-compliant?

Please consider these practices along with your existing mature vendor vetting process.  Today is Day 2 of the PCI DSS training here in Atlanta, so I will add any additional insights as they come up.


James DeLuccia IV