Branden Williams' Security Convergence Blog

Well? Will you?

We're waiting!??

Hopefully your bank is not taking THAT approach to checking on your status, but I know many merchants are feeling the heat. Jaikumar Vijayan from Computer World writes that when this deadline passes, most people will not be in compliance. If you read the letter of the law, yes, I would agree. But based on the guidance released by the council, if you are compliant with the rest of the standard, there is a pretty good chance you are compliant with 6.6.

In this clarification, The Council declared the intent of the code review component to include "Manual web application security vulnerability assessment" and "Proper use of automated web application security vulnerability assessment (scanning) tools." So essentially if you are getting something like VeriSign's Premium Vulnerability Management Service, you meet this requirement. You could also count your penetration test as long as the application has not changed since that penetration test was performed, and it covers the entire application with manual interaction. VeriSign's Penetration Testing services DO cover this.

There will be some merchants that do not meet the requirement; but those merchants have likely been doing just the bare minimum, or "Managing Checkmarks," as opposed to building a sound security infrastructure and fitting compliance inside it. Merchants doing that are probably not fully compliant on any given day anyway.

Posted by Branden Williams at 07:52 AM | Permalink | Comments (0) | TrackBacks (0)

Do you wonder if the consultants that your QSAC sends on-site are actually QSAs? Well now you can check! For some reason, all of VeriSign's QSAs don't appear in this list, but we're diligently working to correct that. I can only imagine the large QSACs are probably flooding Cathy with email right now.

Posted by Branden Williams at 07:14 AM | Permalink | Comments (1) | TrackBacks (0)

Greetings everyone! Go check out my guest post on Karen Swim's fantastic blog, Words for Hire.

"Step 1: Extinguish the precipitous rubescent LED-based luminosity!"

Posted by Branden Williams at 08:15 AM | Permalink | Comments (0) | TrackBacks (0)

One of the arguments for becoming PCI compliant is to keep this an industry regulated certification, versus having to deal with a federal mandate like Sarbanes-Oxley. People often ask me if I think PCI will become a federal mandate. I don't think it is possible.

Most federal mandates are designed to protect their citizens (I said MOST... ok?). The electronic payment system already has mandates to protect the citizens. For example, did you know that the Fair Credit Billing Act limits your liability to $50 for unauthorized charges? Personal experience says $0 liability if the physical card is still in your possession.

PCI is designed to minimize losses to issuers and the brands caused by a credit card breach and instill confidence in the payment system. As an important side effect, it promotes information security inside retailers and reduces the losses that would be associated with a breach of their systems (potential brand damage, fines, and consulting fees).

Since the citizens are already protected, and breaches do not directly affect the money system (they affect companies), I don't believe the federal government will get involved. We've seen a state governments pass legislation, but it is still untested in the courts and I have doubts on its ability to be enforced. Keep in mind, credit card fraud is not the same as identity theft, and I believe we will see much more legislation on that in the future.

Posted by Branden Williams at 12:33 PM | Permalink | Comments (0) | TrackBacks (0)

Monday was presentation day at CSI-SX. I had a decent crowd, for the breakout session! One day, I'll do a talk that is not the last session of the day :)

While I was in between sessions sitting in the speakers lounge, one of the other speakers (I did not catch his name) dropped his computer bag and jacket on the chair across from me. I looked up, nodded, and went back to my work. He proceeded to pull out one of those laptop locking devices that you see at public terminals. You know, the ones you can beat with a toilet paper tube. He then secured the whole apparatus (bag included) to the chair! A conference chair. The ones that weigh like ten pounds.

I was not watching him the whole time, but I did not see him ever leave the room. The room was maybe 100' x 40' and he sat down on the couch less than 10 feet away. What benefit would someone get by "securing" the laptop and back to the chair? Am I not paranoid enough?

Posted by Branden Williams at 10:49 AM | Permalink | Comments (1) | TrackBacks (0)

The PCI Security Standards Council released a statement yesterday defending the PCI-DSS against claims that the standard is not strict enough and will not protect against common attacks. This is the first real communication we've gotten from the council since the announcement of the Hannaford breach earlier this year.

This statement is the first to be released to try and counter the negative press from Hannaford telling the world that they were compliant with PCI. This was the first breach of a Level 1 merchant that had validated compliance through a QSA. After reading the statement from the council, vague as it is, merchants should feel better about their PCI programs.

The PCI DSS, if properly implemented on a merchant or service providers' network, provides the security controls necessary to prevent hackers from penetrating a payment environment and installing malicious software that would jeopardize the protection of card data as it is being processed.

So does that mean that PCI DSS was not properly implemented at Hannaford? If it was not properly implemented, how would they have passed a QSA's PCI assessment? Maybe the new Q/A program at the council will address something like this, but then again, maybe it is all up to interpretation?

Posted by Branden Williams at 11:29 AM | Permalink | Comments (0) | TrackBacks (0)

The Register is reporting that McAfee's "Hacker Safe" sites are not so much. In the security industry, we typically refrain from saying things are 100% secure, simply because the only 100% secure computer is the one that does not exist.

Posted by Branden Williams at 07:10 AM | Permalink | Comments (1) | TrackBacks (0)

Bout to go board my jet-fueled chariot right now. If you are going, look me up on Twitter! I'm planning on taking a cab to the hotel, checking in, and seeing if any conference goings on are... going on.

See you there!

Posted by Branden Williams at 05:16 PM | Permalink | Comments (0) | TrackBacks (0)

GloboTV (via Gizmodo) has a story (in Brazilian Portuguese) about some crooks that used the Eee PC to steal customer's debit information at ATMs.

Tee Hee.

Posted by Branden Williams at 08:11 AM | Permalink | Comments (0) | TrackBacks (0)

I'm going to aggregate several PCI related things here in one post as it has been a busy week in PCI Land! I have other things I want to write about, so stay tuned for more stuff later today and throughout the week.

First off, the Council has released the Payment Application Data Security Standard (PA-DSS). This replaces Visa's Payment Application Best Practices program, and your Point Of Sale application should comply by July 2010, or your customers may not be able to accept Visa cards! Nothing we did not already know, but it is now finally released.

Next, the Council also released clarifications on Requirements 6.6 and 11.3 (apparently a very hotly debated topic in a recent QSA Requalification class). There are two very important issues to pull out of the clarification.

On Requirement 11.3 (annual penetration test), the clarification makes mention that the penetration test should also include an on-site (or internal) penetration attempt. This will drive the cost of these assessments up a bit, but I think there is some room for innovation. Just depends how risk-averse a company really is.

The real doozy is on Requirement 6.6 (periodic code review or web application firewall on all web-facing apps). There really appears to be overlap here now. In lieu of a code review or web app firewall, the Council has elaborated on how the intent of a code review can be carried out. They say that a "Manual web application security vulnerability assessment and/or proper use of automated web application security vulnerability assessment (scanning) tools" can be used in lieu of an actual code review.

In a normal application penetration test that VeriSign performs, we already would perform the above. Does that mean if you get a Penetration Test by VeriSign that you automatically comply with both 11.3 and 6.6? If we take the guidance of the Council, it does.

I was disappointed by the 6.6 clarification as it does not seem to have legs any more. VeriSign typically recommends that a code review be performed as part of your PCI strategy. We believe that you should fix the problem at the source (pun intended) instead of trying to put another filter in-line. Passive web application firewalls have their place in any sound security strategy, but the fact remains that the most effective way to remove the threat of these vulnerabilities is to fix the problem in the code.

As an example, during a recent code review we performed, we found several vulnerabilities that could be exploited that would not be caught through an automated tool, and yet could be exploited remotely. When you are working with the code, you don't need to manage the mask of the interface.

In other news, Visa released a bulletin on packet sniffing cardholder data, no doubt in response to a recent breach. VeriSign has often recommended using encryption over the wire to help reduce insider threats. Visa echoes that strategy in the recommended mitigation section.

OK, enough PCI for today!

Posted by Branden Williams at 07:13 AM | Permalink | Comments (0) | TrackBacks (0)