PCI Blog - Compliance Demystified

PIN security rises in importance

Evan Schuman of StoreFrontBackTalk reminds us that credit card compromises that result in fraudulent ATM use can mean only one thing: they had access to the cardholder’s PIN.  In reference to the recent indictment he reminds us about such details.

But the indictment casually mentions a potentially very serious fact. The group was charged with possessing customers’ track 2 debit card data—among other things. In theory, that shouldn’t have permitted ATM cash access because of the typical debit card key management technique known as DUKPT (Derived Unique Key Per Transaction).

If the hackers were able to decrypt the encrypted-PIN-block or simply had access to the unencrypted PIN value, this raises awareness of the ever important PCI PED requirements.  For years now companies have been working to address PCI DSS compliance, but have they ever stopped to ask if they are PCI PED compliant?

The PED or PIN Entry Device refers to the hardware and integration software used in such devices as ATMs and retail debit machines.  If you ever type your PIN into a terminal then you are using a PED device or piece of software.  There is an intricate list of steps and procedures for properly receiving, loading, and managing the encryption/decryption keys that are used to protect the PIN number.  There are an equal number of mistakes a company can make that lead to an unprotected PIN number.

Remember that when it comes to fraud, and the financial risk to a company, it is pivotal on the hackers ability to compromise what is called Sensitive Authentication Data.  This sensitive authentication data includes:

1. Magnetic Stripe or Track Data
2. CVV2, CVC2, CID
3. PIN numbers or PIN block data

The PCI PED standard goes into far more detail about protecting the third piece of sensitive authentication data: PIN and PIN block data.  If you feel safe and secure about your current environment because you are PCI DSS compliant or because you use Chip-PIN, then ask yourself if you are also PCI PED compliant and are using PED-lab approved devices.

Credit card theft indictments show why small crime matters

Many of you are aware and have read the detailed recounts of the recent indictment of many individuals involved in some of the most notorious credit card compromises.  (The BBC article mentions PCI DSS.) Attorney General Michael Mukasey says in a press release that hackers, “targeted at least nine major retail corporations, including the TJX Corporation, whose stores include Marshalls and TJ Maxx; BJ’s Wholesale Club; Barnes and Noble; Sports Authority; Boston Market; Office Max; Dave and Busters restaurants; DSW shoe stores; and Forever 21.”

I’ve written about the credit card laundering underground in the past, and El Mariachi has commented on such with even more information.

My favorite credit card hacker story used to be Roman Vega (Boa Factory), but recently and with current popularity it has turned to Maksym Yastremskiy.  A friend of mine and cybercrime hunter, Gary Warner, writes about the preliminary information regarding this case and a detailed description of the final sentences.  He does a great job of profiling each of the hackers and outlining some of their crimes.

He explains why major hackers like Maksym matter, referencing the forfeiture of this fraudulent assets:

$846,762.18 in E-Gold accounts
$ 87,517.36 in Parex Bank account
$3,781,436.36 in an Asia Universal Bank account
$4,862,884.96 in Western Union money transfers
$1,931,047 in US currency

He also explains why smaller hackers matter, such as the three indicted with Conspiracy to Traffic Unauthorized Access Devices.  They traded only a few credit cards, but those cards resulted in “real dollar losses of $7,000,000!”

The small numbers in Southern California should not be seen as a measure of their insignificance as criminals, but rather as a sign that when you spread multi-million dollar crime around the entire globe, its hard to find one small set of contiguous ZIP Codes that had many losses.

For more information on the Department of Justice reports that Gary links to:

• Albert Gonzalez indictment
• Christopher Scott information
• Damon Patrick Toey information

CPISM certification empowers merchants

Congratulations to Walter Conway for his CPISM certification.  If you are not subscribed to his blog, please do so, especially if you are interested in Higher Education.  Rob is also one of the blogs that is syndicated via the Society of Payment Security Professionals.

The reason I congratulate him is because he has been working for years to do exactly what we do: educate and empower people about PCI compliance.  My mantra has always been to bring our expertise and education to empower those “across the table” from their auditor.  Have you ever felt frustrated because one auditor tells you one thing and another tells you something else entirely?  Perhaps this is just their variance in interpretation of the standard or personal risk tolerance.  The problem is that if you re-engineer your environment every time you get a different auditor you may go bankrupt!

So what can people do to learn what their auditor knows?  How can people empower themselves to understand the payment card industry so they can speak about it knowledgeably?  I’m not only an advocate, I’m also a member of the Society of Payment Security Professionals.  They have launched the Certified Payment-Card Industry Manager (CPISM) certification.  This certification and the training for it is geared at educating people about the payment card industry so they can speak with others (i.e. an auditor) knowledgably about it.

Someone called me up today asking about their call center and how one auditor said it was not in scope and another said it was in scope.  They had just finished re-architect their environment to make a secure payments area and now they were looking at re-engineering it to accommodate the requirements of this new auditor.  I told that person that they could always call upon me (as you all can via the email address and phone number on this blog), but that they would feel more confident if they empowered themselves.

It’s like the old proverb, “if you give a man a fish he will eat for a day, but if you teach a man to fish he will eat for a lifetime.”  This certification is meant to empower others to feel more confident about the decisions they make, because they invested the time necessary to learn the nuances of the industry.

PCI Survey

If you are not already subscribed to Rob Newby’s blog then maybe today is the day you do.  His is one of the few that is syndicated via the Society of Payment Security Professionals.  He has put online a survey on PCI DSS compliance that is meant to identify some of the roadblocks to compliance.

Since Rob is based in the UK this survey is targeted mostly at European companies, but I’d urge you all to participate.  The more information available to the public the more we can identify the roadblocks and remove them.

We already know that things such as Chip-PIN have had an ideological impact on PCI DSS adoption within the UK and Europe.  It goes a long way towards protecting cardholder data, but it alone will not protect merchants from exposing sensitive data.  Merchants must understand that integrated POS devices could retain “track equivalent data” which cannot be retained post authorization.

Other issues include the multi-acquirer relationships within Spain and Italy.  This power shift makes it harder for acquires to push for compliance within their merchant community.

Also, things such as Single Euro Payments Area (SEPA) may bring changes to how merchants see their PCI scope.  There are a number of things that companies must consider and an equal number of roadblocks.

In the end, excuses are just that.  If you choose to not wear a life preserver just because your neighbor isn’t then both of you will down when the ship springs a leak.  Ignorance is no excuse.

Also, if you’d rather read up on a Web App Sec survey check it out.

Wireless and PCI - executive dinner in Chicago and Columbus

I will be speaking at another two executive dinners on wireless security.  They are being hosted by AirDefense and Motorola with Aegenis as the guest speaker.  I did one of these in NYC and there was a good turnout and lots of questions.  In fact, some people showed up just because they read about it on this blog.  It’s a strange feeling for strangers to know so much about you because they read your blog.

Registration for the events is here:

• July 30 :: Chicago, IL (register)
• July 31 :: Columbus, OH (register)

Update: These have been canceled this week.

Podcast: ROI of Reporting Data Compromise

We just published another podcast, this time on the ROI of Reporting Data Compromises.  This is a topic I’ve long loved presenting and feel energized about.  When most people think about security breaches and data compromises, they often forget about data ‘exposure’.

Also, when hackers get in some companies try the cover-up approach.  Sometimes it can be financially detrimental to NOT report a data compromise.  This podcast walks you through the reasons you should report and what could happen if you don’t.

What percent complete is your PCI project?

Everyone from politicians to economists track metrics and statistics.  It’s the core of how we analyze the word and mentally quantify the world around us.  Visa tracks merchant compliance statistics within the USA, but what about other regions?  What’s happening around the world?

Rob Newby had some things to say about a recent survey performed of European companies.  (To which I replied here.) Walt Conway just published his NABCU survey results.  These surveys are all good, but many of them focus on the “percent complete” issue.  It reflects the lethargy within a company if they are waiting to make a move before they see others around them doing anything.

Really, what does it mean to you as a company if others within your geographic region are 50% done with their PCI compliance project?  Do you feel more momentum to do something if your company is on the tail end of a statistic and less if you’re on the leading edge?  I suppose in Malcolm Gladwell’s book The Tipping Point is apropos here as he argues for the theory of critical mass in the adoption of any fad.

The difficulty is that these statistics mean little to the security of your company.  How many Level 1 merchants were compliant when TJX, Hannaford, or Card Services were compromised?  Did it really have an affect on their security that 20%, 50%, or 90% of similar companies had addressed their compliance requirements?

When it comes to compliance the only statistic that matters is yours!  What have you done to reduce the risk of cardholder data loss at your company?  What are you doing to protect your customers’ data?  Do you even know where to start and what to do?  If you have questions post them in the SPSP Forum.

Update: Gideon Rasmussen of Bank of America wrote the document “Beyond Minimum Compliance“. Documents named as such should show that, at least in the US, we reached critical mass long ago and people are not working now phase 2.

iPhone to bring wave of wireless woes

Tomorrow, like so many others around the world I’ll be getting up early and waiting in line to purchase my new iPhone 3G when the stores open at 8 AM.  And like so many other giddy users I’ll head off to work and want to use and configure my device ASAP.

The problem this creates is an entirely new attack vector (ok, not so new) by deploying millions of Wi-Fi based cell phones that are now connected directly to corporate owned laptops.  Another way to think of this is that we are installing millions of wireless attack vectors into a corporate environment that will be undetectable from simple wired-side scanning.

When people look at PCI DSS requirement 11.1.b they think it may not apply to them because they have not purposefully deployed wireless devices.  Or they may think they can simply scan the wired network looking for wireless access points.  The hidden vector they are missing are devices that come enabled with wireless access.  Everything from laptops with radio (Wi-Fi) cards, to iPod Touch, and now the iPhone 3G.

You see the requirement states that people should use a “wireless analyzer” to find wireless attack vectors, but this only tells half of the story.  Historically, people did this via war-driving with Pringles can antennas attacked to Netstunbler or Kismit enabled laptops.  (I know @dacort and I did our fair share of this in a past life.)  But what happens when you have 1,000 or 5,000 retail stores?  What happens when you walk into one store and 50 access points show up on your screen?  How do you know the difference between the good and the bad?  How do you protect against not just rogue but also unauthorized access points?

That is why we wrote this lengthy FAQ on Wireless.  I’ll also be presenting on this topic next week in New York City (be sure to register.)

Not going to be in NYC?  How about Chicago, IL (July 30, 2008) or Columbus, OH (July 31, 2008)?

SPSP on LinkedIn

The Society of Payment Security Professionals (SPSP) now has a group on LinkedIn.  I joined because I’m a payments industry and social networking junkie.

Also, there’s also the Facebook PCI group.

If you want to add your blog to the SPSP RSS feed then apply here (you must be a member.)

IT Blog Award - IT Law and Governance

I’m not on the shortlist, but still shamelessly and transitively pimping ComputerWeekly by asking you, the reader, vote for one think is best (and tell them they missed the most important.)  Regulatory Compliance should be a category in and of itself, since that is what drive the majority of IT and security capital these days.  If it was, I also believe that PCI Compliance would be at the top of that list, and this blog would be one of the top on that list.

in Law Blogs

So, here’s my list of PCI Compliance blogs that I read.

• Society of Payment Securty Professionals: this feed includes PCI Answers, Rob Newby’s blog, Walt Conway’s blog, Aegenis podcasts, and much more.
• PCI Answers: this blog which includes non-nonsense clear answers to questions and issues surrounding PCI compliance.  I travel the world teaching classes and provide that experience right here.
• Walt Conway: his is one of the few blogs that focuses entirely on PCI within a certain vertical - the higher education field.  I have presented at his conferences and know him to be highly focused on the impact of regulatory compliance.
• Rob Newby: who focuses his blog on PCI and IT security.  He covers PCI and security throughout the UK and Europe.
• Trey Ford: who covers PCI from an application security perspective
• Ed Bellis: one of the SPSP Advisory Board members and application security lead.  He writes on relevant topics to security and regulatory compliance.

Are there others that I’ve missed?