PCI DSS News and Information

For those of you actively involved in security at your institution, I'd like to draw your attention to an interesting discussion of Higher Ed security over at the Security Catalyst. The discussion started with a question about the ideal configuration (permissions, AV, encryption) for higher ed desktop and laptop computers, and it has expanded a bit from there.

If you don't know about the Security Catalyst Community, you should think about joining. There are many good discussions usually of a technical nature about all aspects of security. It's a true online community, and I recommend it highly.

Based on a post from Scott Loftesness at Payments News, I decided to give Google Insights a spin. I know that interest in PCI compliance has grown in the past few years (just look at growth in attendance at the Institute's PCI workshops), but I wanted to see if I could get a quantitative handle on it.

I searched on pci compiance. I found these searches had increased something like 1200% since 2004. While the greatest number of searches was from the US, there was significant worldwide interest with India, Ireland, UK, and Australia also ranking pretty high in searches.

What I take from this is that PCI awareness has grown, and more and more people are (still) looking for additional information, insights, resources, and maybe some help...maybe even a good PCI blog... It also shows that the work of the PCI Council in spreading the compliance message may be having an impact.

I'm sure there are other interesting searches you could do. Let me know if you find anything interesting: walt@walterconway.com.

With the new year comes new PCI information, even if that info really came out last year and no one paid attention. What do I mean? Read on…

Not many people noticed Visa’s announcement last month detailing changes to merchant and – importantly – third-party processor PCI compliance. I thought I’d try to shed some light on what may end up being significant both to Higher Ed institutions and your service providers.

The objectives of Visa’s November 18 Security Bulletin (which followed an earlier press release on the same topic) are to increase PCI compliance and to harmonize validation requirements for Visa merchants and processors worldwide. The changes are effective February 1. While the bulletin states that there is nothing new for US merchants, a couple of things caught my attention and there are potentially significant changes for US third-party providers.

Merchant Levels. The bulletin states:
Acquirers are responsible for identification of merchant validation level based on the number and type of transactions processed by that acquirer...Merchant level identification is based on the corporate entity’s total volume meeting the transaction thresholds in one country or with one acquirer per year. Volume from independently owned and operated merchant locations (e.g., franchisee, licensee) may be excluded if it is not handled by the corporate entity.

Note the part about “Merchant level is based on the corporate entity’s total volume”. If acquirers interpret this to mean the entire school’s volume counts toward its merchant level, some schools may find that instead of a lot of Level 4 merchants they are now a single Level 2 or 3 merchant. I don’t want to raise any alarms here because in reality, this might not be a big deal so long as you don’t get thrown into Level 1 (over 6 million Visa transactions annually). That is, you still self-assess, and you still don’t need a QSA to validate your compliance. Remember for Levels 2-4 compliance validation is the same: what matters most is how you take cards and, therefore, which SAQ you use. Your merchant level is not that important. Nevertheless, my suggestion is to check with your acquirer/processor to see if there will be any change to your merchant level in the coming year.

Compliance reporting. The bulletin reiterated that Visa will require acquirers to report compliance for all their Level 1, 2, and 3 merchants twice a year. The message to me is that Visa (and probably the other brands, too) are increasingly emphasizing merchant compliance. If you combine this requirement with Visa’s October ‘07 mandates for L4 merchants, it looks like the brands’ emphasis is definitely moving to monitoring PCI compliance for all merchants.

New Service Provider Levels. The biggest news was the new Service Provider definitions. Effective February 1, Visa is reducing from three to two the number of Service Provider Levels, and they are dropping the transaction threshold for Level 1 dramatically. The cutoff will be just 300,000 Visa transactions annually – it used to be 1 million. If you process more than that, you are a Level 1 Service Provider; process less and you are a Level 2; there is no more Level 3.

I am surprised there has not been more attention paid to this change. If you are (or you use) a Level 2 or 3 Service Provider, stop what you’re doing and read the Bulletin. Your PCI compliance costs may increase under the lower transaction threshold.

What does it mean to you as a school? A couple of things. First, check if any of your smaller third-party providers might now be “promoted” to Level 1. If so, they may need to update/upgrade their compliance validation and you need to check that they do it. Second, if you have any outside organizations using your school’s network to processes card transactions (I’m thinking food or other franchises, even some affiliates) you might be considered a Service Provider. You don’t want that. Free advice: get them off your network. Lastly, in the fine print of the Bulletin Visa notes that their CISP List of Compliant Service Providers will henceforth list only Level 1s. So if you are using a third-party and they are not on the list, don’t immediately start tearing up their contract. Maybe they are still compliant as a L2.

If a security bulletin falls in the forest and there is no one there to hear it (apologies to Bishop Berkeley), does it still have an impact? I’d say it might. Send me an email or give a call if you have any questions. Happy New Year.

There is a very good article in Wired about one hacker's attempt to "rule the black market in stolen credit cards." It is a story of criminality, greed, and technical prowess...and yes, the good guys win out in the end and the bad guys end up in jail.

I knew a bit about the Carders Market episode, but the article added new details. It is interesting to see almost everyone involved -- high level hackers and low level grunts or "cashers" -- in the slammer. But I can't help but remind all of us that there are others taking their place. Today. Right now.

Read the article; it is well written as a who-dunnit and it has PCI implications. Then ask yourself again why you are keeping payment card data (if you still are) and whether the convenience is worth the risks.

If you are attending SunGard's Summit in March, I'll be doing two sessions on PCI implementation in Higher Ed. My formal presentation is Monday March 23 at 1.30, followed by a Birds Of a Feather (BOF) PCI Implementation session at 3.00. It should be interesting and fun.

If you are attending, the Class Scheduler is now available so you can sign up for one or both my sessions. I'm looking forward to this event and to seeing some of you there.

The Security Bloggers Meet-Up is part of the RSA Conference. This year the organizers of the Meet-up are introducing the first annual Social Security Awards! The Social Security Awards give readers a chance to recognize the best, brightest, and most entertaining bloggers and podcasters in the field. I am hoping you, dear reader, you will agree includes this blog.

If you do, please take a moment and click here to nominate the PCI News and Information blog. There are five categories, including:

* Best Security Podcast
Who is the voice you listen to week after week?

* Best Technical Security Blog
Who is digging deeper than anyone else?

* Best Corporate Security Blog
Which vendor's contributing the most to the blogosphere?

* Best Non-Technical Security Blog (I think this is where this blog fits)
Who's got the best 30,000 view?

So check your bookmarks and don't forget to vote.

Nominations are open for a Payment Security Professional of the Year. Look around at your peers, acquirers, vendors, etc. and take a few minutes to recognize someone who is a leader...or should be.

Look at this post at Securosis.com for a personal, real-world case study on risk analysis. Substitute "PCI" for "cholesterol".

Me? Having faced the identical situation a few years ago, I'm staying on Lipitor.