Skip to content

1

Good Security means doing good basic IT.

And sometimes it also means keeping up with new compliance initiatives by industry or government.

This year October 1, 2015 there is a new Payment Card Industry(PCI) rule going into effect. On October 1st the liability of a security breach will go to the merchant not the bank or processor.

Here is an article that discusses certain aspects of the http://news.investors.com/technology/032015-744412-latest-point-of-sale-endpoint-security-tackles-expensive-breaches.htm Point Of Sale system.

EMV (the Europay MasterCard Visa credit card standard) will come to the US by October 1st as well. And if you will get new machines anyway get ones which have point-to-point  encryption.

cardpresentvulnerabilitiesImage from visa.com
the problems in most small merchants are basic in nature. the PCI Industry has created a standard:
which is located in the following location: https://www.pcisecuritystandards.org/
  • Insecure remote access used by attackers
  • Weak or Default passwords and setting commonly used
  • Lack of network segmentation
  • Malware deployed to capture t card data.
  • Absence of antivirus tools to detect malware

 

If you add a firewall and Intrusion Prevention Systems  you will protect yourself even further.

http://oversitesentry.com/cyberwar-you-aint-seen-nothin-yet/

Then  add the Polliwall, now it will be almost impossible for the standard criminals to take your systems. None of us can defend against the nation states, but if we can defend against everyone else then we have created the defensive system for 2015.

What does PCI compliance really mean?

There are similarities with ISO27001, PCI compliance is set up as an audit of the IT department with a specific emphasis of credit card security as well. Whereas ISO27001 is more of an audit of the processes of a company. This makes sense in a manufacturing environment where it is important that your processes show what occurs in the manufacturing and delivery of a product. A product that has to be created can have errors introduced in the creation step. And this is where Six Sigma(Quality Assurance standard) has come into place.

Our blogpost(at Oversitesentry.com) where we say Six Sigma security is needed.

But as the title mentions, the real reason for PCI compliance adherence are legal liabilities as will be proved.

The 106 page pdf (plus 6 pages in appendix) document of the latest PCI standards (DSS3.0) by pcistandards.org at the following link: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

 

The document outlines many aspects of the Payment Card Industry (PCI) expectations of security. Which are security practices made up of common sense:

1. Implement a firewall, with good access control in all connections to the Internet - including DMZ (DeMilitarized Zone). If you have a single connection and single location it is straight forward, but if it is not, then the standard still tries to keep in mind the additional complexity without losing security aspects.

2. The network defense is not complete without a discussion of a personal firewall on the desktop, and later in the document an antivirus solution. The Microsoft Global Policy should also be discussed. (where all aspects of the desktop can be controlled if so desired.

3. A lot of points are made about changing default configurations and passwords in all systems, this is another good common sense item.

4. Any protocols so deemed "insecure" should be shored up as best as possible (there is a lot of latitude here, since there can be many different potential issues)

5. Using proper logs is important

6. Encrypt where necessary, as the credit card numbers should be encrypted over the Internet or wireless access points. And this has to be "verified". Again this is due to legal concerns.

Later in document - use an intrusion detection system so as to know what is being attacked and how you are attacked. Keeping the logs is important not just for reasons like finding out what is going on in your network, but it is important to reconstruct in case of legal liability. Whenever the document says "Verify" it means if you do not, then a lawyer will make you pay for it in the future.

How do I say this with certainty?

http://www.bankinfosecurity.com/retail-breach-compromised-millions-cards-a-5688/op-1 has a sentence in here of note:

"The company also pointed that as of its most recent audit, conducted in November 2012, it was compliance with the Payment Card Industry Data Security Standard."

How about this link?

https://www.paylinedata.com/payments/schnuck-markets-files-sealed-lawsuit-two-payment-processors-data-breach/

" In St. Louis Missouri, Schnuck Grocery store recently sued two payment processing companies. Currently the details of the lawsuit have not been released, but many can speculate that this is due to the recent breach of credit card data that impacted millions of customers at the the large grocery chain."

How could Schnucks end up suing the payment processors? if they had not done their due diligence in the PCI compliance audits as required by the industry. I believe this does not require the knowledge of the outcome.

So that is why we are confident in saying: PCI compliance has to do with legal liability.

What are you waiting for?  The ambulance attorneys will chase you when(not if) a breach occurs.

 

Contact Us as we can help you with the future audit and legal liabilities beckon.

 

In the end it is the criminals versus the legal liabilities that you must wrestle with

Kmart-logowithscales of justice I post this doctored image of Kmart's logo, as they were hacked as well - although I am not sure of their PCI compliance.

pcibestpractices


To be PCI compliant means there is a Security policy in place.

We can help with a security policy or with the documentation for PCI compliance -

There are a lot of items to check and verify.

 

Don't forget to check cloud services that you may have.

 

Contact us with any concerns of security policies and PCI compliance issues

NewsofDay: On CMS systems review from this post: http://securityintelligence.com/cms-hacking-2014-by-the-numbers/

Also for TipofDay: PCI compliance the new page created at Oversitesentry (My blog)

http://oversitesentry.com/pci-compliance/

Threatpost blog post: http://threatpost.com/microsoft-recalls-patch-tuesday-exchange-update/109844

about the exchange server patch rollback (uninstall).

 

The TipofDay is about PCI compliance - security policy must be created.

some parts of the PCI DSS3.0 standard is not very specific (since there are many different types of environments.

What is the reason one hires an independent CPA to check your financial books?

fixvirus-logo-small

Unfortunately even where employees are trustworthy and capable, it makes sense to periodically review their work.

Even the PCI Security Standards Council has the following as "Testing Procedures"

6.1.b Interview responsible personnel and observe processes to verify that:
 New security vulnerabilities are identified.
 A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
 Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.

Are you really performing this function with internal personnel? Can you ensure that it is done with accuracy and efficiency over the long term?

For an independent review to occur by definition it must be "Independent"

That is why we have developed a basic Alpha Security scan  to give information to the IT department and management so they can run more efficiently and with higher security.

DARKReading has the highlights of the changes of v3.0 compared with v2.0

SearchSecurity also has a synopsis - with the 5 most important changes:

1. Pentesting (Penetration testing)

2. inventory system components

3. Vendor relationships

4. Antimalware

5. Physical access

All of the changes make sense in light of the Target breach which we will review in more detail on a separate post. the most important is the Pentesting and segmentation of networks from your vendors.  It is likely that one of the vendors at Target caused the breach, or at least helped the exfiltration of the Credit card data.

Here is a snapshot from the actual v3.0 PCI DSS doc

pcibestpractices

Have you checked wifi signals as to their effectiveness?

Is your wifi router/ access point using good encryption technology?

Wardriving: Peter Shipley coined the term "wardriving" the practice of deliberately searching a local area looking for wifi networking signals.

You do know that some wifi(WEP) encryption is easier to hack and break into than others(WPA2)

There are also other ways that people attack you and your information and resources.

Hackers use fake wifi access points to steal peoples logins. be careful where you accept a wifi connection, as unencrypted wifi can be very dangerous, at lest assume that all your network traffic can be stolen and analyzed.  I.e. do not enter userids and passwords on unencrypted wifi connections.

 

we can help you test and audit your wifi, including for PCI auditing purposes (has to be done quarterly

PCISecurityStandards.org  has a website and it's response to the Target Data breach:

"As part of this security effort, the Council maintains that adherence to and maintenance of the Payment Card Industry Data Security Standard (PCI DSS) is the best defense against data breaches."

What is this "adherence to the PCI DSS?

To look at the actual requirements and procedures you have to agree to their terms and conditions.

The standard says to maintain a vulnerability management program.

Among other items:

NIST SP800-115 is the sample standard for penetration testing methodologies.

Examine Security policies and procedures.

"Verify responsibility" is sprinkled in multiple times in the PCI DSS standard.  Each person or team with responsibilities should be clearly aware of their responsibilities.

 

I know a "Guidance" that would make PCI DSS even stronger:   Use an independent reviewer (second pair of eyes) such as Fixvirus.com

Dark Reading has an interesting article about how Target was compliant with PCI(Payment Card Industry) standards and it was not enough.

The Point of Sale terminals were infected with malware specific to Point Of Sale terminals, stole the CC# and the 3 digit CV code as well.  So it was designed to steal the complete magnetic strip information.

Many parties may be to blame in this, but what can you do in the meantime?

Test your systems - check for malware, in an automated manner. If there are unknown pieces of software or ports open on your computers then that means it requires more investigations and cleaning the systems.

 

Use our Alpha-A, Sigma-Σ, and Omega-Ω services.  (A – Σ – Ω)