Tag Archives: PCI DSS

PCI Council Releases ‘Best Practices for Securing E-Commerce’

Is your organization accepting credit card transactions online? Are those transactions secure according to the Payment Card Industry’s (PCI) Data Security Standards? 66% of consumers warn they won’t purchase from an organization after they’ve had a breach of payment card information.

The PCI’s Security Standards Council released a guidance document to help educate merchants on securely accepting payment cards online. The updated guidance, Best Practices for Securing E-commerce, comes at a time when online payments are a top target for cyber criminals.

E-commerce is a growing security concern for merchants. Online sales growth is rapidly increasing, and the EMV chip migration in the U.S. is causing fewer in person card transactions. Cyber criminals recognize these trends and have turned their attention to e-commerce to commit payment card fraud.

Best Practices for Securing E-commerce

A large portion of the guidance is dedicated to the topic of SSL and TLS. There’s still confusion regarding these encryption solutions and properly selecting a certificate authority.

The PCI Council announced in December 2015 that all merchants accepting payment cards are required to adopt TLS 1.1 encryption or higher by June 2018. Google added to the urgency by warning users of their Chrome browser when they visit a website without HTTPS.

Key encryption topics discussed in the guidance include:

  • Guidance on selecting a certificate authority
  • Descriptions of different certificate types
  • Questions to ask service providers regarding certificates and encryption

Key Takeaway

The PCI Council is taking a proactive approach to the encryption issue with SSL and TLS. The implementation deadline is still a year away, but merchants that aren’t compliant can use this guidance to help securely accept online payments.

Payment Card Industry’s Security Standards Council Releases Important Guidance Information

Many companies struggle to understand and implement all of the requirements under the Payment Card Industry’s Data Security Standards (PCI DSS). In response, the PCI Council has issued a guidance document – Guidance for PCI DSS Scoping and Network Segmentation – to give merchants some practical direction.

The guidance helps companies identify systems and networks that should be included in the scope of PCI DSS analysis. Further, it offers guidance on how network segmentation can effectively reduce the number of systems that fall under the PCI DSS scope.

Key Takeaway

Some key notes from the guidance:

  • Only systems that contain sensitive cardholder information, or are connected to those systems, fall under PCI DSS requirements.
  • By storing less information, companies can minimize PCI DSS compliance efforts.
  • By using network segmentation, companies can reduce the number of systems falling under PCI DSS requirements.

The recommendations in this document can help entities large and small understand the PCI scoping requirements and how to apply network segmentation to reduce your exposure. For any further questions on these topics, feel free to reach out to our vCISO team at cyberteam@eplaceinc.com.

PCI DSS Version 3.2: What’s New?

security lock on credit cards with computer keyboard - credit card data security

The PCI Security Standards Council released the latest version – 3.2 – of the PCI Data Security Standard, which includes several changes and updated requirements. The new safeguards in version 3.2 focus on the role of people and processes in protecting payment card data. This includes new requirements for administrators and service providers designed to protect the cardholder data environment.

What’s the most notable change?

The most notable change in version 3.2 of PCI DSS is the requirement of multi-factor authentication. Multi-factor authentication requires two or more pieces to authorize access to systems that contain card data:

  • Something you know – i.e. password
  • Something you have – i.e. token or smart card
  • Something you are – i.e. biometrics

Multi-factor authentication will be required for all administrative access to the cardholder data environment. This requirement is already in place for remote access, but is expanded so a user can’t access cardholder data by simply typing in a password. This should help boost protections against malware attacks on the cardholder data environment.

What are the new requirements for service providers?

Designated Entities Supplemented Validation

The DESV criteria was added as an appendix to PCI DSS, and included in several of the requirements to apply to service providers. The Council’s objective in adding the DESV controls is to ensure that PCI DSS security is a continuous process for organizations.

Reporting on critical security failures

New requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems. Without processes to identify security failures, attackers are allotted more time to compromise the systems and steal data.

Penetration testing on segmentation controls

New Requirement 11.3.4.1 requires service providers to perform penetration testing on segmentation controls every six months. In earlier versions, verification of segmented environments was required for all entities on an annual basis. The updated version 3.2 emphasizes the importance of isolating cardholder data with this new testing requirement.

Executive management participation

New requirement 12.4.1 calls for executive management of service providers to have an understanding of their PCI DSS obligations. This includes establishing responsibilities and a PCI DSS compliance program. This requirement is designed to get top level executives involved and sharing the responsibility with the security of payment card data.

 Which encryption is acceptable under version 3.2?

PCI DSS version 3.2 reiterates the migration requirements from SSL and TLS v1.0 to TLS v1.1 and higher. The eCommerce space will probably see the largest impact for retailers, providing greater security for consumers who neglect to patch their devices.

When should you implement these changes?

The short answer… as soon as possible. The changes will help companies more effectively prevent or detect cyber-attacks. Version 3.1 expires on October 31st of this year, and the new requirements are considered best practices until February 1, 2018.

PCI DSS Outlook

The new standards in version 3.2 are trying to get companies into the habit of continuously monitoring their security controls and protecting cardholder data. The PCI Council is attempting to move away from the annual check-the-box inspections. Instead, they’re looking for companies to implement a culture with security that’s top-of-mind and processes to adapt to evolving technology and threats.

PCI Guidance: Responding to a Data Breach

The Payment Card Industry Security Standards Council (PCI SSC) released guidance for merchants and service providers to help in preparing to respond to an incident and engaging a Payment Card Industry Forensic Investigator (PFI). To find a list of pre-approved PFIs, visit the PCI SSC website.

Join the next ePlace Solutions webinar: PCI Readiness – Solidifying PCI Scope of Compliance Risk, to gain a better understanding of the PCI DSS requirements and how to best prepare for compliance. The webinar is October 28th at 10:30 AM PT / 1:30 PM ET, free of charge.

Preparing for the Worst

The PCI SSC recommends that organizations prepare for the worst when it comes to incident management. The guidance provides 5 key points to address when putting together an incident management program.

1. Implement an Incident Response Plan

The retail industry has seen a plethora of cardholder data breaches in recent years. Organizations need to be prepared for what seems to be the inevitable data breach. An Incident Response Plan is a crucial step in preparing for an incident.

PCI DSS provides guidance in Requirement 12.10: Implement an incident response plan. Be prepared to respond immediately to a system breach.

According to PCI DSS, an effective incident response plan should include:

  • Roles, responsibilities, and communication strategies in the event of a compromise (i.e. notifying payment brands of an incident)
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting an incident

2. Limit Data Exposure

When responding to a security incident, too often organizations will impulsively shut down the infected systems and ruin any evidence that existed. Simply turning off a system could potentially delete key evidence in the investigation, as well as tip off the attackers that they’ve been detected.

Minimizing data loss while simultaneously preserving evidence is essential. The incident response team should ensure they have the capability to isolate an infected system without turning it off. This helps keep the attackers away from other potentially sensitive areas of the network and allows the forensics team to investigate the situation.

3. Notify Business Partners

An effective response to a security incident involves notifying the proper parties. Organizations should have a communications strategy that contains all parties and contact information that is necessary in the event of a security incident. Potential parties might include payment card brands, merchant banks, or other entities that require notification by contract or law.

4. Manage Third-Party Contracts

Third-parties represent a security concern for many organizations. Oftentimes third-parties have access to an organization’s network and systems for business operations. However, the protection of data and information ultimately falls on the data controller.

Having language to address the vendor’s data security policies and procedures, as well as their incident response management, is a key component to preparing for an incident. As the data controller, provisions to keep the third-party accountable are essential to ensuring the best protection of data and information.

5. Identify a PFI

Organizations should identify and establish a relationship with a PFI before an incident occurs. PFIs will often offer their services on retainer so the relationship exists and they are only a phone call away when you need them.

When engaging with a PFI, it’s important to understand their role in the incident management process. There are several things to consider when performing due diligence on potential PFIs for the organization.

PFIs are required to be independent of the organization they are investigating. There should be no other existing relationships with the PFI. The organization’s Qualified Security Assessor is not allowed to conduct the investigation. In addition, other third-parties representing the organization, like a public relations consultant, should not be interfering with the investigation. PFIs’ investigations must be completely independent.

The purpose of the PFI is to investigate the root cause and scope of the intrusion. PFIs will compile their findings into two reports: a PFI Preliminary Incident Response Report and a PFI Final Incident Response Report. It’s important to realize that the investigation and reports are not PCI DSS assessments and will not determine compliance with PCI DSS.

PCI Council Publishes PCI DSS v.3.1

The PCI Security Standards Council (PCI SSC) has published PCI Data Security Standard (PCI DSS) Version 3.1 and supporting guidance (press release). The revision includes minor updates and clarifications, and addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk.

The National Institute of Standards and Technology (NIST) identified SSL as not being acceptable for the protection of data due to inherent weaknesses within the protocol. Upgrading to a current, secure version of Transport Layer Security (TLS), the successor protocol to SSL, is the only known way to remediate these vulnerabilities, which have been exploited by browser attacks such as POODLE and BEAST. PCI DSS 3.1 updates requirements 2.2.3, 2.3, and 4.1 to remove SSL as an example of strong cryptography.

PCI Council Releases Penetration Testing Guidance

The PCI Security Standards Council published Penetration Testing Guidance to help organizations create and implement a process for testing security controls in the cardholder data environment. This comes after Verizon released a report finding that testing security systems was the main area of failure for PCI DSS compliance in 2014.

Developed by a PCI Special Interest Group of industry experts, the new guidance aims to help organizations of all sizes, budgets and sectors. Best practices address:

  • Penetration Testing Components: Understanding the different components that make up a penetration test.
  • Qualifications of a Penetration Tester: Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.
  • Penetration Testing Methodologies: Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement.
  • Penetration Testing Reporting Guidelines: Guidance for developing a comprehensive penetration test report.

“Penetration testing is a critical component of the PCI DSS,” said PCI SSC Chief Technology Officer Troy Leach. “It shines a light on weak points within an organization’s payment security environment which, if unchecked, could leave payment card data vulnerable.”

Dairy Queen Confirms “Backoff” Infection

Dairy Queen, Inc. has confirmed (press release) that the systems of some DQ® locations and one Orange Julius® location in the U.S. had been infected with the “Backoff” malware.   Because nearly all DQ and Orange Julius locations are independently owned and operated, the company worked closely with affected franchise owners, law enforcement authorities, and the payment card brands to assess the nature and scope of the issue.  The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at 395 U.S. locations.

See also  “Backoff” PoS Malware – Warnings and Recommendations.

PCI Security Standards Council Updates Skimming Prevention Guidance

The PCI Security Standards Council released an update to its guidance for merchants on protecting against card skimming attacks in point-of-sale (POS) environments, Skimming Prevention: Best Practices for Merchants.

Security best practices outlined in the guidance include:

  • Identify risks relating to skimming – both physical and logical based
  • Evaluate and understand vulnerabilities inherent in the use of POS terminals and terminal infrastructures, and those associated with staff that have access to consumer payment devices
  • Prevent or deter criminal attacks against POS terminals and terminal infrastructures
  • Identify any compromised terminals as soon as possible and notify the appropriate agencies to respond and minimize the impact of a successful attack

Appendices provide information on assessing vulnerability risks, meeting PCI DSS Requirement 9.9 for ensuring proper inspection of POS devices, and limiting the attack vector by implementing simple daily routines and training employees.

A high-level guidance, Skimming Prevention: Overview of Best Practices for Merchants, is also available.

 

PCI SSC Publishes Guidance for Maintaining PCI DSS Compliance

The Payment Card Industry Security Standards Council (PCI SSC) has published guidance (press release) on building PCI Data Security Standard (PCI DSS) practices into daily business processes. The “Best Practices for Maintaining PCI DSS Compliance Information Supplement” includes examples of publicly available governance framework resources that can be used to complement PCI DSS controls to enhance the overall effectiveness of an organization’s cardholder data security program. The supplement can be downloaded from the PCI SSC website at: https://www.pcisecuritystandards.org/security_standards/documents.php.

“Backoff” PoS Malware – Warnings and Recommendations

On August 27, 2014, the Payment Card Industry Security Standards Council (PCI SSC) released a Bulletin on Malware Related to Recent Breach Incidents. The bulletin supports the statement released by the US Secret Service and Department of Homeland Security on August 22, 2014 warning about the Point of Sale (PoS) malware “Backoff”, which is said to represent “a very real threat to the security of cardholder data in all organizations”.

Key takeaway – the Council strongly encourages organizations as a matter of urgency to consider the following recommendations:

  1. Contact your provider of antivirus solutions and ensure you have the most recent and up to date version of antivirus software that will detect “Backoff” and other similar malware.
  2. Run this solution immediately.
  3. Review all system logs for any strange or unexplained activity, especially large data files being sent to unknown locations.
  4. Require all default and staff passwords on systems and applications to be updated. Provide good guidance on choosing a secure password (see PCI Data Security Standard Requirements 2,8).

For more information on this threat and recommendations, refer to the PCI SSC and Secret Service/Homeland Security bulletins at the links above.