May 12 2022

Putting PCI-DSS in Perspective

Category: pci dssDISC @ 12:47 pm
Putting PCI-DSS in Perspective

Much attention and excitement within the security world has recently been focused on the lucrative surge in crypto-mining malware and hacks involving or targeting cryptocurrency implementations themselves. Yet the volume of ‘real world’ transactions for tangible goods and services currently paid for with cryptocurrency is still relatively niche in comparison to those that are being paid for every minute of the day with the pieces of plastic we know as payment cards.

According to the British Retail Consortium, in the UK, card payments overtook cash for the first time ever last year. An upward trend assisted no doubt by the increasingly ubiquitous convenience of contactless micropayments. No coincidence either perhaps that contactless related card fraud in the UK also overtook cheque-based fraud in the first half of 2017.

For the foreseeable future, card payment channels are likely to present a continued risk to both businesses and individuals for the exact same reason that bank robber Willie Hutton gave us in the last century for his chosen means of income. In today’s digital economy, however, agile cyber criminals will not only ‘go’ as Mr. Hutton suggested “where the money is” but will swiftly adapt and evolve their tactics to ‘go where the insecurity is.’ Hence, whilst according to a range of sources EMV chip cards have cut counterfeit fraud at ‘point of sale’ (POS) in the UK by approximately a third since the technology was introduced and similar improvements are now being cited for its more recent adoption in the US, a marked and plausibly corresponding uptake in online ‘card not present’ (CNP) fraud continues to rise.

The Payment Card Industry Data Security Standard (PCI-DSS) has formally existed since 2004 to help reduce the risk of card fraud through the adoption and continued application of a recognized set of base level security measures. Whilst many people have heard of and will often reference PCI-DSS, the standard isn’t always as well understood, interpreted, or even applied as best it could be. A situation not entirely helped by the amount of myths, half-truths, and outright FUD surrounding it.

The PCI Security Standards Council website holds a wealth of definitive and authoritative documentation. I would advise anyone seeking either basic or detailed information regarding PCI-DSS to start by looking to that as their first port of call. In this blog, however, I would simply like to call out and discuss a few common misconceptions.

MYTH 1: “PCI JUST DOESN’T APPLY TO OUR BUSINESS/ ORGANIZATION/VERTICAL/SECTOR.”

It doesn’t matter if you don’t consider yourself a fully-fledged business, if it’s not your primary activity, or if card payments are an insignificant part of your overall revenue. PCI-DSS applies in some form to all entities that process, store, or transmit cardholder data without exception. Nothing more to say about this one.

MYTH 2: “PCI APPLIES TO OUR WHOLE ENVIRONMENT, EVERYWHERE, AND WE SIMPLY CAN’T APPLY SUCH AN OBDURATE STANDARD TO IT ALL.”

Like many good myths, this one at least has some origin in truth.

Certainly, if you use your own IT network and computing or even telephony resources to store, process or transmit cardholder data without any adequate means of network separation, then yes, it is fact. It could also rightly be stated that most of the PCI-DSS measures are simply good practice which organizations should be adhering to anyway. The level of rigor to which certain controls need to be applied may not always be practical or appropriate for areas of the environment who have nothing to do with card payments, however. A sensible approach is to, therefore, reduce the scope of the cardholder data environment (CDE) by segmenting elements of network where payment related activity occurs. Do remember though, that wherever network segmentation is being used to reduce scope it must be verified at least annually as being truly effective and robust by your PCI assessor.

Whilst scoping of the CDE is the first essential step for all merchants on their road to compliance, for large and diverse environments with a range of payment channels, such an exercise in itself is rarely a straightforward task. It’s advisable for that reason to initially consult with a qualified PCI assessor as well as your acquirer who will ultimately have to agree on the scope. They may also advise on other ways of reducing risk and therefore compliance scope such as through the use of certified point-to-point encryption solutions or the transfer of payment activities away from your network altogether. Which takes us directly on to discussing another area of confusion.

MYTH 3: “OUTSOURCING TRANSFERS OUR PCI RISK.”

Again, there is a grain of truth here but one that is all too frequently misconstrued.

Outsourcing your payment activity to an already compliant payments service provider (PSP) may well relieve you of the costs and associated ‘heavy lifting’ of applying and maintaining all of the necessary technical controls yourself. Particularly where such activity is far-removed from your core business and staff skill sets. As per Requirement 12.8 in the standard, however, due diligence needs to be conducted before any such engagement, and it still remains the merchant’s responsibility to appropriately manage their providers. At the very least via written agreements, policies and procedures. The service provider’s own compliance scope must, therefore, be fully understood and its status continually monitored.

It is important to consider that this doesn’t just apply to external entities directly processing payments on your behalf but also to any service provider who can control or impact the security of cardholder data. It’s therefore likely to include any outsourced IT service providers you may have. This will require a decent understanding of the suppliers Report or Attestation of Compliance (ROC or AOC), and where this is not sufficient to meet your own activity, they may even need to be included within your own PCI scope. Depending on the supplier or, service this may, of course, be a complex arrangement to manage.

MYTH 4: “COMPENSATORY MEANS WE CAN HAVE SOME COMPLACENCY.”

PCI is indeed pragmatic enough to permit the use of compensatory controls. But only where there is either a legitimate technical constraint or documented business constraint that genuinely precludes implementing a control in its original stated form. This is certainly not to be misjudged as a ‘soft option,’ however, nor a way of ‘getting around’ controls which are just difficult or unpopular to implement.

In fact, the criteria for an assessor accepting a compensatory control (or whole range of controls to compensate a single one in some cases) means that that the alternative proposition must fully meet the intent and rigor of the original requirement. Compensatory controls are also expected to go ‘above and beyond’ any other PCI controls in place and must demonstrate that they will provide a similar level of defense. They will also need to be thoroughly revaluated after any related change in addition to the overall annual assessment. In many cases and especially over the longer term, this may result in maintaining something that is a harder and costlier overhead to efficiently manage than the original control itself. Wherever possible, compensatory controls should only be considered as temporary measure whilst addressing the technical or business constraint itself.

MYTH 5: “WE BOUGHT A PCI SOLUTION SO WE MUST BE COMPLIANT, RIGHT?”

The Payment Application Data Security Standard (PA-DSS) is another PCI Security Standards Council controlled standard that exists to help software vendors and others develop secure payment applications. It categorically does not, however, follow that purchasing a PA-DSS solution will in itself ensure that a merchant has satisfactorily met the PCI-DSS. Whilst the correct implementation or integration of a PA-DSS verified application will surely assist a merchant in achieving compliance, once again it is only a part of the overall status and set of responsibilities.

IT security vendors of all varieties may also claim to have solutions or modules that although they may have nothing directly to do with payments themselves have been specifically developed with PCI-DSS compliance in mind. They are often sold as PCI-related solutions. If deployed, used and configured correctly, many of these solutions will no doubt support the merchant with their compliance activity whilst tangibly reducing cardholder data risk and hopefully providing wider security benefits. No one technology or solution in itself will make you PCI compliant, however, and anyone telling you (or your board) that it does either does not understand the standard or is peddling ‘snake oil.’ Or both.

MYTH 6: “WE’RE PCI-DSS COMPLIANT SO THAT MEANS WE MUST BE ‘SECURE,’ RIGHT?”

PCI-DSS should certainly align and play a key part within a wider security program. It should and cannot be an organizations only security focus, however. Nor should being compliant with any standard be confused with some unfeasible nirvana of being completely ‘secure’ whatever that may mean at any given point in time. There have, after all, been plenty examples of PCI-compliant organizations who have still been harshly and significantly breached. Some reports of high profile incidents have voiced scathing comments about the potentially ostensible nature of the breached organization’s PCI compliance status, even questioning validity of the standard itself. Such derision misses some key points. In the same way that passing a driving test does not guarantee you will never be involved in an accident, reasonably speaking, it will certainly decrease those chances. Far more so than if nobody was ever required to take such a test. PCI or any other security compliance exercise should be viewed with a similar sense of realism and perspective.

Applying PCI-DSS controls correctly, with integrity and unlike a driving test re-assessing them annually, must surely help to reduce the risk of card payment fraud and breaches. More so than if you weren’t. Something that is to everyone’s benefit. It cannot possibly, however, protect against all attacks or take into account every risk scenario. That is for your own wider security risk assessment and security program to deal with. Maybe yes, it’s all far from perfect, but in the sage fictional words of Marvel’s Nick Fury, “SHIELD takes the world as it is, not as we’d like it to be. It’s getting damn near past time for you to get with that program.”

About the Author:Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King’s College London, one of the worlds’ top 20 universities

PCI-DSS QSA Certification – Practice Questions 2022: Questions that will help you practice and advance your knowledge on the PCI-DSS QSA

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: pci compliance, pci dss


May 06 2021

PCI DSS Documentation

Category: pci dssDISC @ 7:49 am
May be an image of ‎text that says '‎ם ක PCI DSS Documentation Toolkit‎'‎

The PCI DSS Toolkit Overview

Does your organization process, transmit or store payment card data? If your answer is yes, then you need to comply with the PCI DSS (Payment Card Industry Data Security Standard). The payment Standard helps to ensure the security of transactions and protect your business from potential data breaches and fines.

The PCI DSS places a significant emphasis on documentation with all 12 sections of the Standard requiring documented policies and procedures. The more payment channels your organization accepts, the greater the need for documented policies and procedures to support the applicable requirements. Unsurprisingly, it can all get a little complicated and you may find yourself unsure of what you need to do and how to develop policies and procedures that best reflect your environment.

Let’s comply with PCI with PCI DSS Documentation Toolkit

Covering PCI DSS v3.2.1 the PCI DSS Documentation Toolkit provides guidance documents, tools and templates to help you identify what is required of your organization and develop the documentation you need.

Tags: pci compliance


Jun 14 2010

Fallout from a PCI breach for merchants and consumers

Category: pci dssDISC @ 6:22 pm


There is a big misconception out there that PCI DSS compliance does not apply to us, because we are relatively a small company


The fact is PCI DSS must be met by all organizations that transmit, process or store payment card data. Also business owner want to know what is ROI on PCI compliance. It is the total cost of ownership which ensures that you keep earning big money. DISC

Thanks to federal law and standard practice by the financial industry, the maximum cash liability of a consumer whose cardholder data is stolen is only $50; the remaining losses are paid by the card companies. If the weak security controls allows a criminal to access other accounts or steal a consumer’s identity, financial fallout could be severe for that individual. Resolving just one incident of a stolen identity may take months if not years of effort.

Merchants face their own form of fallout. When a breach occurs, there are investigation and containment of the breach costs for the incident, remediation expenses, and attorney and legal fees. But this is just for starters. Strategic and long-term fallout for all Merchants may include but not limited to the followings:

• _ Loss of customer confidence.
• _ Lost sales and revenue.
• _ Lower use of online stores due to fear of breaches.
• _ Brand degradation or drop in public stock value.
• _ Employee turnover.
• _ Fines and penalties for non-compliance with PCI and
other regulations.
• _ Higher costs for PCI assessments when merchants with a
breach must subsequently comply with the penalty of
more stringent requirements.
• _ Termination of the ability to accept payment cards.
• _ Fraud losses.
• _ Cost of reissuing new payment cards.
• _ Dispute resolution costs.
• _ Cost of legal settlements or judgments.

The potential fallout for larger merchants can be huge, Smaller merchants, however, may have significant trouble weathering a cardholder data breach. Think about your company’s cash flow and whether it could cover potential damage from a breach. The risk of going out of business perhaps should be a motivation enough to follow PCI and protect the credit and debit card data.

How to Detect Debit Card Fraud




Tags: pci assessment, pci compliance, pci compliance books, pci consultant, pci dss


Aug 08 2008

PCI DSS significance and contractual agreement

Category: pci dss,Security ComplianceDISC @ 11:52 pm





The PCI DSS (Payment Card Industry & Data Security Standard) was established by credit card companies to create a unified security standard for handling credit card information.  The retail service industry now understands the strategic significance of PCI DSS compliance, which was demonstrated when TJX announced that their system was compromised for more than 17 months, where well over 50 million customers’ credit and debit cards were breached. Retail business which fails to comply will be subject to penalties and fines, possibly lawsuits, and may lose their credit card processing capability. Non-compliance will not only expose businesses to fines and penalties but also make it vulnerable to many threats, which can exploit the vulnerabilities in the system and put your business to unnecessary risk. These risks could have been avoided with some due diligence. When business is non-compliant, any major breach will have a significant impact on business viability.


To start a process of PCI compliance, a merchant should determine if PCI DSS applies to their organization.  PCI DSS is applicable if your customer PAN (Primary Account Numbers) is stored, processed or transmitted in your organization. After determining the applicability of the standard, the merchant needs to determine where their business falls in the categorization of businesses by their bank in terms of merchant level.


Before commencing the risk assessment the assessor will perform the system profile to determine the applicability of the scope and set the boundaries of the system covered under PCI-DSS assessment. Planning is the key to success of a project; this is the phase where all the planning and project preparation will take place.   Now the key to the success of your on-going compliance is to simplify the scope of the project. The best way to achieve this to put all the PCI related assets in a precise segment to limit the merchant card holder environment.


Comprehensive risk assessment will be performed on the identified scope where risk analysis will identify the gaps based on PCI DSS standards and risk rating will prioritize the gaps for risk management.  Thorough risk analysis will generate a quality technical and process gap analysis, where you decide the mitigation/compensating controls to comply with PCI DSS.  After completion of the risk assessment the task of the risk management begins, to eliminate the gaps in your environment and to comply with the standard. Depending on the numbers of gaps the risk management team should set realistic goals to complete the tasks in hand.  Best practices recommendations suggest that the organization should eliminate/mitigate the high risks (high impact & probability) gaps to the organization, but sometime organizations decide to go after the low hanging fruits to start with their risk management process.


When the risk management process gets close to finishing and you are well on your way to comply with PCI DSS, you might think that perhaps your job is done. Well in a way, it’s just a beginning of a process where your organization is supposed to maintain the compliance with PCI DSS.  Based on expert opinion, PCI DSS is a process not a project. What you have done so far, is baseline your environment. Ongoing compliance is achieved by monitoring the relevant PCI DSS controls. Ongoing compliance will depend on the quality of the merchant’s information security management system (ISMS). A strong  ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time.  You can develop an automated PCI monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.


In a sense, PCI is neither a regulation nor a standard but a contractual agreement between the merchant and their acquirer bank, when merchants start transmitting PAN data that makes them contractually obligated to comply with PCI DSS. To understand their obligations, the merchant should make a proactive effort to understand their acquirer’s particular interpretation of PCI DSS requirements to get compliant.  Ongoing compliance will require adequate resources and automated controls in place to routinely monitor, maintain, review and improve the required systems. Ultimately, ongoing PCI compliance will enhance business efficiency and reduce the potential impact of adverse publicity on your business image.


 












Documentation Compliance Toolkit



PCI Compliance



Practical guide to implementation (Soft Cover)



Practical guide to implementation (Download)



PCI Compliance
httpv://www.youtube.com/watch?v=0NUTs-aFtOA




Tags: business efficiency, business image, compensating controls, comprehensive, contractual agreement, gap analysis, isms, iso 27001, merchant card holder, mitigate, pan, pci compliance, pci dss, risk analysis, Risk Assessment, risk management process, tjx