Branden Williams' Security Convergence Blog

Skimming (in the credit card world) is commonly defined as capturing magnetic stripe data during the normal payment process by swiping it through an external (or even inline) device before or after the authorization swipe. External devices are commonly found in stores where a payment instrument is presented, and someone takes the card away from view to process, like at a restaurant. Inline skimming occurs where the cardholder is present during the swiping, and usually involves tampered swipe devices.

The PCI Security Standards Council recently released an EXCELLENT guide with tips on preventing skimming, with sample forms that you can use to track your progress. Most of the skimming techniques employed can be addressed with physical inspection, something with which this guide goes into great detail. Consider doing your visual inspections during a shift change, or at least upon the opening and closing of the stores. Simple visual inspection can go a long way to preventing skimming.

Posted by Branden Williams at 6:37 AM | Permalink | Comments (0)

PIN-based debit authorization rates have recently increased dramatically, some merchants complaining that their auth rates have increased up to four times their previous rate. In some armchair research, I learned that Interlink (Visa) and Pulse (Discover) have removed interchange caps on transactions. For most merchants, it is still cheaper to process a PIN-Based Debit transaction than a credit card transaction (on a per transaction basis), but for others it is about the same. Or at least the difference in cost is so minimal that their volumes don't force an advantage one way or the other.

Visa is enforcing PIN Entry Device (PED) mandates, effective on July 1, 2010, whereby all PEDs must comply with the PCI PED Standard. For retailers purchasing new equipment in the last five years, this should not be an issue. But for one industry in particular, the desire for electronic signature capture or other payment initiatives has not driven the purchase of replacement payment equipment.

Fuel!

Think about your last trip to the gas station to fill up on petrol. Did you use a credit card or a PIN-based debit card? Actually, the card you used PROBABLY can do both, so which functionality or network did you use? Did you stick with Visa? Or did you use the debit side, Interlink?

If you used the debit side, the payment processing equipment in the pump may have used extremely weak or just single DES-based encryption. This equipment simply does not (in most cases) have the ability to do Triple-DES encryption for PIN-based debit authorization. So as a fuel provider that is looking at a five to ten year payback on any equipment purchased, do you make the jump to comply with these standards now? Or do you just turn off the PIN-based debit support?

Technically, providers can still use Signature-based debit authorizations (if you went inside to pay), so they would not be saying no to debit all together. Will new methods of payment be introduced that might render an investment in equipment today useless? Possibly, but I think what is worse is that the equipment providers woefully underestimated the demand for the product, and prices are likely to increase as merchants race to deploy compliant equipment.

If you are a fuel provider, would you consider disabling PIN-based debit at the pumps? Since nearly all cards that use PIN-based debit can also be used as a straight credit card authorization, wouldn't the extra per-transaction cost be worth it when facing a multi-million dollar (or at least into the tens of thousands for smaller franchisees with just a few locations) upgrade cost? What if you could slowly upgrade over the next five to ten years, and the upgraded equipment could also allow you to buy other things like sodas, fuel additives, or other convenience items right at the pump? Would your return far exceed that if you had to do the upgrades twice?

Consumers, would you not shop at a gas station that did not offer PIN-based debit as a payment option? Since you don't sign a receipt or signature pad at the pump, punching a PIN into the device seems like a lot of work!

Posted by Branden Williams at 9:04 AM | Permalink | Comments (0)

Celebrate from the mountain tops! Visa got some RSS! Hopefully they will be dutifully (or have scripts) updating the feed, unlike the PCI SSC's feed (which currently does not include their latest skimming guide) that traditionally lags behind. RSS is a GREAT way to keep your stakeholders in touch with your programs, but you really do have to stay on top of it!

Posted by Branden Williams at 4:32 AM | Permalink | Comments (1)

On Thursday, I threw out a blog post which I hope to be the start of a series playing on Dave Ramsey's style for financial peace, and realized I played the role of a consultant PERFECTLY (just like Marshall Eriksen might LAWYER you). SK pointed that out for me when he asks me to elaborate. In a back to school fashion, imagine this conversation as played through your teenage daughter's cell phone.

"I was all, 'Just find the data!', and he was all, 'Whatever.'"

I am so in touch with today's youth.

SK brought up a good point. Let's say you are working with an enterprise that does not have any of the following: 1) a working DLP solution, 2) a reasonable data architecture and framework defined, 3) a reasonable understanding of business process and data flows, and 4) a reasonably accurate configuration management database. Where do you start? Is data discovery even worth it?

First off, throw DLP out the window. Nearly every single DLP vendor missed the boat (or at least their sales and marketing arms have). Note to DLP vendors, it's really hard to sell the $7 million suite, but pretty easy to sell a $20K data discovery engagement (which could, of course, lead to that $7 million suite, or it could lead to a $50K/yr licensing deal for the tool). Most of my customers don't even want to hear about DLP because they don't see it as something for which they have budget.

Secondly, attack number three (TRICKY!), but use software to help validate what you learn by talking to people. Your business folks will not be 100% sure where their data is, or what data is on the systems they use. Talking to them will yield you an 80% picture (at best), so you need software to validate what they are saying. Free software like Spider from Cornell, or grep can be used to find sensitive data in your unstructured data space (like flat files). Trust your business folks, but VERIFY what they say.

While you are going through the verification process, see how your structured data is set up. This will be data that you find in databases all over your enterprise (yes, VSAM too). You will be amazed at what you can learn about your applications and your data by dumping schemas from every database WITH some sample random data out of each table. BE SURE to randomly select records from different operating times. Applications change; maybe the newest version of your application do not store social security numbers, but older versions may have. If someone did not go back and clean up the data after the upgrade, you've got a breach time-bomb on your hands.

Finally, if it applies, review your configuration management databases. Depending on your setup, this may or may not apply. If your applications rely on a configuration management database, you will absolutely need to address this.

Granted, finding out where your data lives will give you a massive amount of information. If you don't have a reasonably mature information security program in place already, you will be overwhelmed by the results of this exercise. As always, you and your organization will benefit greatly from a good security program, but if you don't have the funds for that, start by going on an electronic discovery and destruction initiative to effectively reduce the risk carried by the business.

Posted by Branden Williams at 6:03 AM | Permalink | Comments (0)

I've been on a Dave Ramsey kick lately. I like his message and his concept of declaring war on debt. One of his mantras can save people TONS of cash if they would just use basic things they learned in school.

"Do the math!"

Everyone out there has a brother-in-law, church buddy, or friend of a friend who is "a finance guy." We tend to listen to people we consider experts without questioning their motives, simply because we don't believe we can comprehend the complexity of the question enough to figure the answer out ourselves.

For example, several years ago I went to a car dealership to buy my wife a new car. I had just recently graduated with my MBA, brought my Texas Instruments BAII Plus, and got ready to talk numbers ((Hey, that education should be good for SOMETHING, right?!?)). I left my wife at home and headed out with strict instructions on make, model, and of course COLOR. Negotiators at car dealerships want you to focus on the monthly payment instead of what you are paying for the vehicle (at least in my experience). When I got the first offer back, I did the math and learned while most auto loans at the time were going for 6%, this dealer wanted to put me into a 9.5% loan. I ran the numbers MANY times thinking that my MBA failed me.

It didn't.

Because I did the math, not only did I save money on the monthly, but I also cut the money I paid in interest over the life of the loan almost in half!

You know what? I dreaded doing the math, but once I did it, I found it was easy to do, and kicked myself for not doing it more often. By starting with the basic math going into a financial instrument like a car loan, I was able to make smart decisions about the purchase to save money and ensure that it did not have an adverse effect on my financial situation.

If Dave Ramsey were a security pundit, I think he would modify the phrase to say "Find the Data!" In fact, let's call that Baby Step #1. FIND THE DATA.

Information security is designed to protect information (or data). So how exactly can we protect it if we don't know where it is?

(Please pause for a moment to let the enormity of the question sink in....)

How many of you out there work for companies with extensive data maps? My guess is probably no-one does. There may be a few of you out there that do, but most companies just make assumptions about systems needing to be secure, but pay no attention to the data stored on said systems. Here's why that is important.

Groups have tried to attach a cost per record should that record be stolen and part of a data breach. The data backing up these numbers is so wildly varying that making any decisions based on the results are foolish. It is a nice benchmark that can at least legitimize the cost associated with a data breach. And, more importantly, it quickly points out that if you don't store the data, you don't need to secure the data!!

So if you really go "Find the Data," you will exit that tremend0usly difficult project with a good idea of how bad the situation is. I promise you, it is worse than you think. You will find data that will shock you into rapidly doing SOMETHING about the mess. That is a vital tipping point to the whole process. Now that you know what data you store, and where you store it, you can begin to securely destroy data you do not need, and evaluate options for the data you do.

For the data that you DO need (and really, ask the hard questions), you should fight to the death to protect it. Centralized data is easier to protect than distributed data, but there are options to protect both.

Going about finding data in your enterprise looks like a daunting, near impossible task. I would probably agree! But spending the time to REALLY find it out will pay off in spades when you let someone else get breached.

Posted by Branden Williams at 6:14 AM | Permalink | Comments (4)

Well, I was waiting to see if anyone would catch it, and unfortunately it looks like a couple of industries struggling with Visa's Payment Application Mandates are not going to get a reprieve.

Earlier this month, I posted about some new Visa Payment Application Mandates. What I didn't drop into the blog post was that Visa made sure this new mandate did not supersede their previous mandate, meaning that US and Canada merchants do not get a two year reprieve and that these are now GLOBAL mandates. Non US/Canada merchants now have a reason to get moving and deploy up to date payment applications!

Posted by Branden Williams at 5:02 AM | Permalink | Comments (0)

Bob Carr was recently quoted in a Computerworld article saying that QSAs let [Heartland] down. Of course, he is not referring to his most RECENT QSA, but I'm sure that was an editorial change to make the story more interesting.

The article is a fantastic read, but also slightly humorous in nature. I'm going to leave Heartland's situation out of this post, and look at how other companies that have dealt with breaches. If you want to see what others are saying, check Rich Mogul, Mike Rothman, and Andy Willingham.

Nearly every company I have worked with suddenly "Gets Religion" after a breach. Prior to it, security is not top of mind, therefore things like PCI become burdensome as opposed to easy.

Security always becomes much more important after you've been bitten. It's a massive pendulum that swings WAY out on the over-reacting/knee-jerk edge, where before it was way out on the other edge of complacency and letting the risk ride. By the way, the blame for this lies securely on our shoulders--security professionals. We do not do a good enough job working with the business to help them understand real risks and costs of doing business, thus preventing something like this from happening.

Don't believe me? Here are some phrases I have NEVER HEARD come from one of my customers or prospects:

• Hey Brando, this price is OK, but can you double it and really dig beyond what is required by PCI DSS?


• I know this area over here is TECHNICALLY not in scope, but can you include it anyway so we can ensure we have good security controls there too?


• I need you to do a statistically valid sample with a higher error rate so I can do more validation on our IT processes.

• You don't need to look at any of these systems, they don't store CC data (which is technically a misconception because PCI applies to areas that also transmit or process data), so don't go into that room.


• Are you sure you have to perform that test? I only want the bare minimum.


• You have to pass me! My anniversary date is in two weeks and I cannot patch this two-month old vulnerability by then!


• Come on, two passwords is practically two-factor!


• Look at the real risk here! There's only 100K cards in plain text on this machine at any given time, that's not a big deal, right?

So here's the thing. Some QSAs WILL let you down. You get what you pay for, and some QSAs may not do a good job. The Q/A process from the Council is working to address this. But you are letting yourself down if you allow something like this to happen. If you realize that the assessment is not thorough, you should either work with the QSA to fix it or terminate the contract and find one that does have your best interests in mind.

______________________________________
¹ This is an important distinction. Companies that suffered breaches in the past sometimes become complacent and forget what they learned until the next one happens.

Posted by Branden Williams at 8:07 AM | Permalink | Comments (3)

FINALLY! An official statement from MasterCard! Last night, MasterCard posted a four page FAQ on their website to help us deal with the onslaught of buzz that came from their original posting. Some of it anecdotal and humorous (albeit literally true), some of it from this very blog.

Here's the meat of what you need to know:

• Level 1 merchants that engaged an internal audit team before 15 June 2009 must validate compliance with a QSA by December 31, 2010.
• Level 2 merchants must ALSO validate compliance with a QSA by December 31, 2010.
• Internal assessments MAY NOT be performed. The way that MasterCard words this, it appears to be a punt over to the Council. If the Council would offer QSA training and certify employees of non-QSA companies, MasterCard may alter their position.
• These deadlines do not alter a merchant's (or service provider's) annual anniversary date.
• Merchants must be compliant with PCI DSS upon boarding. Expect to provide a compliant ROC and AoC if this applies to you.
• Level 2 merchants that currently fill out SAQ-A MAY STILL validate their compliance this way! They DO NOT require an on-site assessment.
• Merchants not compliant with PCI DSS will need to let their Acquirer know where they are in relation to the council's Prioritized Approach document. I'm not sure what MasterCard will do with this information, but as we've discussed before, where you fall on the prioritized approach may not be representative of the actual risk you carry.
• Service provider changes don't seem any different from what Visa has already enacted for the CISP program.

• If I accept 1 JCB card (JCB only has 2 merchant levels), am I a Level 2 MasterCard merchant, thus require an on-site assessment even if I only accept 10,000 MasterCard transactions annually?
• Level reciprocity is also clouded with American Express's merchant levels... 50K transactions puts you at a Level 2.

Time will tell, but in order for MasterCard to avoid something like this in the future, they really need to communicate better to ALL of their stakeholders, not just their members. All it would have taken is a quick run of the new program by a few key outsiders to point out some of the issues that have been addressed above, thus re-framing the new requirements and avoiding this mess.

Posted by Branden Williams at 4:57 AM | Permalink | Comments (0)

Don't worry, you don't need to tear up your existing compliance assessment. Troy Leach recently alerted the world, via press release, that PCI DSS version 1.2.1 is now the most recent version of PCI DSS, though he states, "As there are no changes to the intention or requirements of the DSS, your compliance programs will be unaffected by the change from DSS 1.2 to DSS 1.2.1."

This change is minor in nature, and does not constitute a new version per the PCI Lifecycle document released earlier this year. Most of the changes are typos or alterations in the document, some based on new policies or fees.

Let's walk through the changes.

Three documents were modified with this new version. For PCI DSS, the following four changes were made:

1. Page 5: Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2.


2. Page 32: Correct "then" to "than" in testing procedures 6.3.7.a and 6.3.7.b.


3. Page 33: Remove grayed-out marking for "in place" and "not in place" columns in testing procedure 6.5.b.


4. Page 64: For Compensating Controls Worksheet - Completed Example, correct wording at top of page to say "Use this worksheet to define compensating controls for any requirement noted as 'in place' via compensating controls."

1. Page 9: In "To which Applications does PA-DSS Apply?" section, provide further clarity about what is considered a "payment application."


2. Pages 4 & 12: Add reference to the new PA-DSS Listing Summary, in "Related Publications" and "Release Agreement and Delivery of Report" sections. The PA-DSS Listing Summary is for PA-QSAs to submit with report, to specify report and listing information for PCI SSC to use. The form is not included in PA-DSS Program Guide but is available here.


3. Page 9: Add fraud-scoring or detection applications as examples of non-payment applications that may be part of a payment application suite.


4. Page 13: Clarify language in "Fees" section to eliminate previous "quarterly" wording, add annual maintenance fee of $500, clarify that grandfathered PABP applications will be charged a one-time fee of $1,250 (rather than an annual fee), add reference to Figure 4 for details about renewing expired applications, and add a $125 listing fee for minor updates.


5. Page 14: Add column to the table of figures, to refer to page numbers with additional Program Guide content related to each figure.


6. Pages 16, 21, 22, 37: Change terminology used previously for changes to listed payment applications to "minor update" in "Overview of PA-DSS Processes," Figure 2, and "Changes to Listed Payment Applications"; added terms "major update," "minor update," and "no update." Clarified process in "Minor Update - No Impact to PA-DSS Requirements." Changed title related to self-attestation form in Appendix C to "Self-Attestation for Minor Update."


7. Pages 17, 18, 23, 24, 35: Changed "Not acceptable for new deployments" to "Acceptable only for pre-existing" deployments."


8. Page 20: In "PA-DSS Report Acceptance Process Overview" section, changed "release agreement" to "vendor release agreement" to match language in "Legal Terms and Conditions" section.


9. Page 23: In "Renewing Expired Applications" section, added second sentence to Item 2.


10. Pages 24, 25: Clarify language in sections for "Payment Applications undergoing PABP Reviews During Transition" and "PA-DSS Transition Procedures." Deleted part of footnote that referred to PABP 1.4 and the October 15, 2008 date, since the date is past. Clarify that PCI SSC will not accept PABP Transition Procedures after September 30, 2009.


11. Page 28, 32: In "PA-DSS Reporting Processes" section and Appendix A, clarify process and change language used for contents of List of Validated Payment Applications to match language used in posted list. Expanded Appendix A to include tables with details about payment application types and the reference number.


12. Page 29: In section formerly called "Notification Following a Security Breach or Compromise," add "vulnerability" throughout--now the language is "security breach, compromise, or known vulnerability."


13. Page 31: Change language in "Legal Terms and Conditions" section to match that currently included in the PA-DSS Vendor Release Agreement.

Posted by Branden Williams at 5:24 AM | Permalink | Comments (0)

As many of us in the industry had suspected, Visa has delayed its payment application security mandates two years to 2010 (newly boarded merchants) and 2012 (all merchants). The information was officially released on June 24, but I certainly did not see any public reference to it until recently. This is rumored to be largely in response to a low supply and high demand issue in the fuel industry.

So those of you that were dealing with unrealistic deadlines, you've got a reprieve! Keep pushing though, don't be one of those guys limping in at the eleventh hour!

Posted by Branden Williams at 5:33 AM | Permalink | Comments (2)

Steven Fox, blogger for CSO Online and fellow columnist in the ISSA Journal, interviewed me for his Art of War Podcast where I discuss the parallels between Sun Tzu's teachings and PCI Compliance. Of the podcasts I've done, this one was particularly fun for me because I had to grab my Art of War book off the shelf and study up for it!

Sun Tzu's teachings apply to PCI and Information Security (it is a war, people) when you read his book in the light of an information security perspective. Go check out Steven's column in the Journal, his excellent podcast, and Sun Tzu's Art of War!

Posted by Branden Williams at 5:11 AM | Permalink | Comments (0)

No, this is not one of those posts poo-pooing PCI because it is the popular thing to do. But after my marathon writing sessions working on the book, I started to think about all the customers that I had visited over the years, and all the problems I have seen, and how even today the problems that come up are essentially caused by common root issues.

BTW, I'm hoping you guys all LOVE the case studies. Some of you readers might even be business owners or playing a part in them! That was, by far, my favorite part of writing the book. Maybe I'll try some bad fiction writing next? (FAIL)

Anyway, one of the things that the information security rants about is how PCI should never be viewed as your total security program. PCI by itself is not good security. Many retailers, through no fault of their own, "know enough to be dangerous" with data mining and information management. They have digitized data about their customers, products, financials, marketing plans, inventory, and employees to help make them more efficient. Retailers have an amazing amount of data available right at their fingertips, and it helps them have (only) the right products in front of the right customers at the right time, increasing their ability to turn inventory.

With this much data flying around, not only do you need a way to manage it, but you need a way to secure it. Retailers traditionally ignored information security until PCI forced their hand. And I mean REALLY forced their hand. As in fines being assessed. Had Visa not fined merchants, PCI DSS compliance rates would have increased over the last two years, but not nearly as rapidly.

Why do you think that is? Is it because retailers never really viewed their data as super secret? Maybe they concentrated only on the Availability and Integrity of their data?

Regardless, now companies are having to deal with PCI, so they begrudgingly comply. Bare minimum. No additional expenses. Hire people to deal with PCI only, not really interested in security. Well, let me rephrase that. If you speak to the executives, they will tell you they are concerned about security, but their actions (and the actions of some employees) clearly state differently.

Companies that intensely focus on ANY compliance initiative are doing themselves harm in the long run. Compliance comes and goes, but you will always need to address security. In fact, you might argue that compliance initiatives like PCI or HITRUST all stem from data breaches caused by poor security. Complying with the bare minimum requirements from one initiative only leaves you vulnerable to new compliance initiatives that may cover related security issues outside the original scope.

PCI was meant to be a component of the overall security infrastructure, not THE ACTUAL security framework. In a mature security program, you would have controls defined and mapped back to compliance initiatives. This way you can save yourself a TON of time and energy by managing to your specific control set, not to each individual compliance initiative. Imagine the metrics you could pull from that!

PCI will damage your company if it becomes your security framework. Remember, it changes every two years. Theoretically, most of the changes are minor and in response to community feedback and compromise trends, but do you really want to be scraping the bottom of the barrel and doing a major overhaul every time PCI changes? Imagine spending tens (or hundreds) of thousands on a compensating control that barely passes PCI DSS, and then having to undo and redo the work the next year because of a change in PCI? It happens all the time.

How do you solve this problem? First, you have to find an executive in your company with the testicular fortitude to stand up for Information Security. Not only must this person be charismatic and full of gusto, he (or SHE of course) must understand why security is important, and be able to relate to other executives in a manner which they will understand as well. Security is a BUSINESS issue, and the business has to be on-board or you will have lost the race before the gates ever open.

Next you need to get back to basics and start with a wide-reaching enterprise security assessment. As far as frameworks go, I'm partial to ISO 27002, but choose one (or a hybrid) that makes sense for your business and environment. Figure out how you match up. Are you close? Do you just need to define lots of stuff? Or is it going to be a long, hard ride?

Finally, create your plan and work on getting there! It will require time, resources, probably some new hardware and/or software. Be sure to review industry BEST practice, and figure out how you can smartly better your posture without creating situations where users work around your new controls and you don't adversely impact the business. The business may need to change some of what it does, but you don't want to shut it down while in process. Focus on doing things RIGHT first, then look at where that puts your completion estimates. Depending on your level of maturity and size, a 2-3 year implementation plan may not be unreasonable. Going much beyond 5 years signifies some major barriers to completing the project, and a 1 year deadline either means you had most of it right, are a small and nimble company, or you grossly underestimated your timelines.

Remember folks, spend for security, not compliance. And definitely don't implement a compliance target as your main security framework. That's how PCI can ruin you.

Posted by Branden Williams at 5:40 AM | Permalink | Comments (0)