PCI DSS News and Information

Second opinions can be valuable. I recently went to two mechanics to see if I could avoid replacing the radiator on my car. I doubt if any of us, facing with a serious medical situation, would hesitate to ask for a second opinion. So why are we sometimes so quick to entrust our institution's reputation and checkbook (and maybe even our own career) to one PCI expert?

A few weeks ago I heard from a school. They bought a "recommended" solution to address their PCI needs and were just discovering that it might not be all that they hoped. The particularly unfortunate part about it was that this was a completely avoidable situation: getting a second opinion at the start would have highlighted the flaw in the salesman's pitch, and a better solution (from the same company, BTW) could have been found. They are now stuck with an unpleasant and possibly quite expensive situation.

PCI is still a mystical beast to many, or at least so it seems. When faced with such a mystery we sometimes put trust in the wrong places (see my thoughts here). This misplaced trust is what happened to the school that bought the solution that was wrong for them.

Mike Dahn picks up this theme in the latest Aegenis Newsletter. This issue is full of Mike's usual thoughtful analysis and insights. He notes the importance of getting a second opinion, writing: Unfortunately many of these so-called 'experts' are often only superficially knowledgeable of the PCI DSS and most of those have a less than comprehensive understanding of the payment card industry...During [PCI] training events, it is not uncommon to hear a merchant, service provider, or bank say: "my QSA said that we must (fill in the blank) to comply with the PCI DSS." More often than not, these recommendations are simply inaccurate interpretations of the standard or the intent of particular requirement. People have no problem asking a second opinion from a doctor when diagnosed with a major illness. It always surprises, however, when an organization will spend millions of dollars on remediation based upon a statement from a single individual with often cursory experience in the industry without seeking a second opinion...While there are some very good QSAs in the market, the qualification alone does not make one an expert on PCI DSS related issues nor does it imply information security expertise. It is highly recommended that, prior to purchasing technology or implementing controls to address identified compliance issues, organizations conduct their own due diligence and find a second opinion. Spending a little time and money double-checking a recommendation will often pay huge dividends.

This analysis matches my own experience. These conclusions are doubly relevant if the "expert" is or is affiliated with the salesperson. Remember the film "The Godfather," and the line: "this is business, not personal." That line should be in your mind constantly. Understand that no matter how friendly and knowledgeable the salesperson appears, to them you are simply their next paycheck or braces for the kids or a new boat. I'm not saying to be nasty, but don't believe everything without checking for yourself.

Where do you get a second opinion? Talk with your peers, do some research, visit other customers who have implemented specifically your proposed solution. But talk to somebody who knows payments, who knows PCI, who understands Higher Ed, and who is independent.

As for my radiator, the second opinion came in the same as the first (it's gotta go)...but the price was lower. My cost for the second opinion: trivial. My benefit: knowing I'm making the right decision.

Isn't protecting the institution's brand (and checkbook) worth as much as a crummy radiator?

The PCI Council has today issue a press release on version 1.2 which contains an overview of the changes and a link to a pdf with more details.

As you read it, keep in mind that this summary may not include all changes made in version 1.2; more may be announced at the Community Meeting in September (and yes, I'll be there and blogging on developments). To me, some of the more important clarifications are:

-- Emphasizing encrypting local user databases
-- A ban on new WEP after March 31, 2009, and current WEP implementations are to be discontinued by June 30, 2010 [This is corrected]
-- You will be able to use a risk-based approach to installing patches rather than following a prescribed timetable
-- 6.6 is, of course, now mandatory
-- The requirement to secure media with cardholder data now will explicitly include paper media as well as electronic; the destruction requirements have been clarified, too
-- Audit trail (logging) is more flexible, with 3-months' worth to be immediately available for analysis or quickly accessible (meaning archived or restorable from back-up)
-- Penetration test requirements have been clarified to explicitly state they can be done internally without either a QSA or ASV
-- Policies addressing information security will now include remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and PDAs
-- You will need policies and procedures implemented to manage and monitor service providers.

The Council has scheduled a webinar for September 4th [corrected date]. You can learn more here. If it's like past webinars, it should be very useful.

Like I said, the changes will be discussed at the September 23-25 meetings. The full version 1.2 is targeted for release in October when it will become effective. Merchants do not need to take immediate action to address any changes; you will address the changes during your next scheduled PCI certification/assessment. That means there likely will be some overlap between version 1.1 and 1.2 for a few months to accommodate merchants who are in the middle of compliance when 1.2 comes out.

I don't see anything earth shattering here, but it looks like we'll have an interesting Community Meeting in a few weeks.

It's August and it seems activity has slowed down...but not for the bad guys, and they're at it again. This time, the target is POS terminals used with chip-and-PIN cards in the UK.

I saw this article in ComputerWeekly thanks to Scott Loftesness at Payments News -- a good guy who never seems to take a vacation. It seems that police are checking every (every!?!) chip-and-PIN terminal in the UK. According to the article:

Criminals were said to be hiding devices inside terminals to reveal Pin numbers [sic] matching credit cards, as well as obtaining data to make cloned magnetic stripe cards. Although these do not work in UK cash machines, criminals can use them to withdraw money in countries that have yet to roll out chip and Pin.

They were even able to transmit that data from these devices to a mobile phone, according to well-informed sources. This meant that while they would have to break into terminals to insert reading devices, they would not need to do so again to retrieve the data.

But police were especially alarmed by compromises to various tampering-detection systems on card terminals. These systems are designed to send an alert down the line that the terminal has been opened.

Each terminal must be checked to see whether criminals have already inserted a data-reading device, and to make physical changes to its tampering-detection system.

The PCI PED (Pin Encryption Device) standards were designed to prevent this from happening. I don't know about whether the UK banks deployed non-approved devices or if the bad guys found a way around them. It is particularly disturbing that the "tampering-detection systems" apparently failed.

All of which says to me once again that chip-and-PIN is not a panacea for PCI or card security: the terminals still must be compliant; and chip cards still have a mag stripe that can be skimmed. For a personal account of the latter, see my post about my French friend's experience...it still rings true today.

What does this all mean for you? Many campuses also take PIN-based debit cards. You want to make sure your POS devices are PCI PED compliant. You can read more at the PCI Council's website which also lists compliant terminals.

Meanwhile don't take your eye off PCI compliance...the bad guys aren't taking any summer vacations.

I like Dave Taylor's post in StorefrontBacktalk today. It goes back to a question we discussed at the PCI Workshop in May. That is, how do you sell PCI to your top management? I am sort of hoping Dave's first recommendation is tongue-in-cheek:

Yell "SECURITY BREACH" really loudly, all the time.

But I guess in some cases it might work even though in my heart I don't think FUD ("fear, uncertainty, doubt") sells.

I'd like to re-phrase the question to: "How do you get top management committed to PCI compliance?" There certainly is a business case (see here and here), and I have made the point that top management buy-in is critical (see the "5 Strategies" article). But I want to believe getting top management's commitment is easier if there is a positive case for compliance.

I just don't have it yet. I've got lots of info on costs and reputation damage, but I really would love to find the positive case: respecting and protecting relationships with students, parents, alumni/ae, and friends; increasing trust; or maybe just "darn it, it's the right thing to do."

I'd love to hear YOUR comments and thoughts. Read Dave's post and share how you've sold PCI at your institution. Maybe FUD does work, but I'm not ready to rule out a positive case just yet.

UPDATE: After I posted this, I saw this article in Computerworld where Visa's CEO, John Coughlin, said: "We need a carrot as well as a stick to fight fraud," he said. "While we know that not harming customers is usually a great incentive, we are also asking ourselves, 'What other financial incentives can we create?' " Maybe with Visa's help, there will be financial incentives (think lower Interchange?) for PCI compliant merchants.

Well, at least I can hope.

Evan Schuman's StorefrontBacktalk site/blog is always an interesting site for developments in the retail and payments world. He has several posts today that I recommend you read if you want to know more about the arrests this week over the TJX and other card security breaches.

In particular, he mentions in one post about how the retailers were oblivious or at least in the dark about the breaches, except for one "mystery merchant" whose systems seemed to catch the bad guys in the act.

Surf over and have a read. There is good analysis and thoughtful discussion. And as always, friend David Taylor chimes in with his weekly thoughts, this time on how do you know if you're hacked. This is an issue that affects Higher Ed as much as any industry.

It seems like the TJX case will never end.

UPDATE:
Read more at the New York Times (a really good analysis) and this from MSNBC.

I just got back from Tokyo yesterday afternoon, and today I'm greeted with a report in The New York Times on the arrest of 11 people charged with being the ring behind the TJX card data theft. From the article, it sounds like the authorities believe these folks are also the ones who hacked into other merchants, selling the stolen cardholder data on the web.

This was truly an international operation, involving three people from the United States, three from the Ukraine, two from China, one from Estonia and one from Belarus.
Update: If you want some insight into how this gang collaborated, check out this ComputerWorld article.

If you ever wondered if the hackers seeking credit card data are serious, technically sophisticated criminals, this report should put those doubts to rest. Remember: "it's impossible to be paranoid* about protecting cardholder data."

* Note that paranoia is the delusion that people are out to get you...they really are!

It looks like we have dates for the next PCI DSS workshop for Higher Education. We'll be returning to Indianapolis on May 4-6. We plan once again to offer a half-day PCI deep dive as an optional kick-off session. We'll also have outstanding speakers from Higher Education institutions with case studies of their own PCI implementations and an expert panel of PCI compliance officers from leading acquirers.

One reason I'm mentioning this now is that I would like you to email me if you are interested in being a presenter at the workshop. Presenting to your peers a lot of fun, and there are other benefits...like you get to attend free. I'm also mentioning the date so our wonderful sponsors can make sure to budget to join us again. I found that the sponsors, in additional to their critical financial support, provided some key insights and bits of information during the workshop. They bring real world experience and a different perspective that stimulated our discussions.

Plan now to join us in Indy in May 09!

While any number of you have told me on occasion that I might be certifiable, I have at least partly justified your beliefs by becoming a Certified Payment-card Industry Security Manager or CPISM. I am very proud of my little achievement, and I'll be updating my website accordingly.

I've blogged about the CPISM before (here and more recently here). As the website of the Society of Payment Security Professionals (or SPSP) states,

The rapid influx of regulation from all directions has created a need for professionals that understand both the business objectives of the industry at large as well the security and privacy issues facing the industry. To date, the marriage of these two skills has been difficult to evaluate. In order to address the need to identify professionals that understand both the industry as a whole as well as the pressing security issues the industry faces, the Society of Payment Security Professionals offers the Certified Payment-Card Industry Security Manager (CPISM).

The CPISM is directed towards those individuals involved in data security compliance projects in the Payments Industry. The material assessed is crucial for project managers, compliance and risk managers, as well as for more technical staff in the Payment Card Security Industry.

BTW, the SPSP is the new home of the PCI Forum.

What does the CPISM mean to you? It means that the person holding the certification understands not just PCI but the payment card business, too, which is pretty important as I've noted before here. The designation is relatively new, but you'll see more of your acquirers and system providers sporting it...or, at least those who care about their customers will!

I'll look forward to seeing how many other CPISMs will be at the Institute's next PCI conference.