Category Archives: pci dss

Cyber Everything & PCI DSS – The Forgotten Standard?

Senior Security Consultant for Advent IM and PCI-DSS expert,  Mark Jones gives us his thoughts on the current awareness of this important payment industry standard.

In the current information security climate where everything has ‘cyber’ prefixing the topic e.g. cybersecurity, cyber risk, cyber threats and the list goes on, is it possible organisations have forgotten about existing and very important ‘cyber-related’ standards such as the Payment Card Industry’s Data Security Standard (PCI DSS)?

MC900441317

As more and more business is done online in our ‘new’ cyber world – 2015 Online Retail Sales £52 Billion up 16.7% from £45 Billion in 2014 – payment cardholder (CHD) account data security is more important than ever. This includes the need for assured authentication, confidentiality and integrity of payment cardholder information as traditionally granted by the Secure Sockets Layer (SSL) protocol over HTTPS padlocked browser sessions in the past 20 years. In 2014, the US National Institute of Standards and Technology (NIST) determined that SSL and indeed early versions of SSL’s successor, the Transport Layer Security (TLS v1.0) protocol (also referred to as SSL), were found to have serious vulnerabilities with recent high-profile breaches POODLE, Heartbleed and Freak due to weaknesses found within these protocols.

iStock_000015534900XSmallSo, if you are an entity that that stores, transmits or processes Cardholder Data (CHD), specifically the 16 (can be up to 19) digit Primary Account Number (PAN), then you should seek to comply with the latest version v3.1 of the PCI DSS. This version was released in April 2015 by the PCI Security Standards Council (SSC) that removed SSL as an example of strong cryptography and that can no longer be used as a security control after 30 June 2016. However, the migration from SSL and early TLS to TLS v1.1 and 1.2 has caused issues for some organisations hence the SSC update in December 2015[1] that the deadline had been extended for 2 years, with a new end date of 30 June 2018 for existing compliant merchants. However, SSC is at pains to emphasise that this delay is not an extension to hold off migrating to a more secure encryption protocol (as defined by NIST) and entities that can update should do so as soon as possible.

If the entity is an Acquirer (typically the merchant’s bank), Payment Processor, Gateway or Service Provider, then they MUST provide TLS v1.1 or greater as a service offering by June 2016. Additionally, if it is a new PCI DSS implementation (i.e. when there is no existing dependency on the use of vulnerable protocols) then they must be enabled with TLS v1.1 or greater – TLS v1.2 is recommended.

As you can see, PCI DSS can play a significant part in any cyber security programme providing the entity in question is compliant with the latest version 3.1. If you have yet to start, or are part way through a PCI DSS implementation project, what can and should you do NOW? We recommend the following 3 actions:

  • Migrate to a minimum of TLS v1.1, preferably v1.2;
  • Patch TLS software against implementation vulnerabilities; and
  • Configure TLS securely.

If you need any further help and guidance with PCI DSS, please contact Advent IM…

[1] http://blog.pcisecuritystandards.org/pci-changes-date-for-migrating-from-ssl-and-early-tls

Advertisements

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

PCI-DSS PA-DSS (v3.0) Expected Change Highlights (v1.0) Tool

As mentioned in previous blog post, the payment card processing standard has some changes coming up. The standard should be issued in full next month, in the meantime and as promised, we are offering  a free guide to the anticipated changes to allow you to get ahead of the curve.

You can get it free from the Advent IM website on the news page or on the dedicated PCI-DSS page

iStock_000016426779Small

PCI-DSS PA-DSS changes – latest updates

Anticipated changes to the standard for payment card security have been announced and PCI Security Standards Council have issued some guidelines ahead of the final changes to help merchants get ahead y reviewing and understanding the changes ahead of their implementation. The revised standard (Version 3.0) is due to come come out in November

Will a lead lined wallet be the only solution?

Will a lead lined wallet be the only solution?

this year.

According to the Change Highlight Document, the updated version of PCI-DSS and PA- DSS will;

  • Provide stronger focus on some of the greater risks in the threat environment
  • Provide increased clarity on PCI-DSS & PA-DSS requirements
  • Build greater understanding on the intent of the requirements and how to apply them
  • Improve flexibility for all the entities implementing, assessing and building to the Standards
  • Drive more consistency among assessors
  • Help manage evolving risks/threats
  • Align with changes in industry best practices
  • Clarify scoping and reporting
  • Eliminate redundant sub requirements and consolidate documentation

Key themes for the new version include

Education & Awareness – to help drive education and build awareness internally and with business partners and customers.

Increased Flexibility – Enabling organisations to take a more flexible approach on meeting requirements in common risk areas such as weak passwords, malware and poor authentication methods.

Security as a Shared Responsibility – Changes  introduced to help organisations understand their entities’ PCI-DSS responsibilities when working with different business partners to ensure cardholder data security. 

Emerging technologies

The PCI -DSS and PA-DSS are bult in a way that their principles can be applied to a variety of cardholder data environments, such as mobile or cloud. The PCI Special Interest Group issues separate and specific guidance for mobile via the PCI SSC Website  (Mobile Payment Acceptance Security Guidelines for Merchants).

COMING SOON!

We will be issuing our own guidance document soon. Watch this blog or our website news and dedicated PCI-DSS page

Fraud fears grow – “contactless” technology and your bank card

“Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology, writes Channel 4 News technology producer Geoff White.”  this from an article on the Channel 4 website today (29th March)

I contacted one of our Senior Security Consultants for comment on this.

Will a lead lined wallet be the only solution?

This is nothing new as it was reported 5 years ago in late 2007. I recall reading that this new technology could put holders of such cards at risk from ‘contactless pick pocketing’

The main difference is that now other new technology such as Smartphones equipped with suitable, easily available software is now available to the bad guys to intercept the holder’s non-encrypted Name, Primary Account Number (PAN) and Expiry Date transmitted by the contactless card to the payment reader.

Normally, such information by itself should not lead to a successful fraud transaction as other details such as holder’s address, PIN and/or CVV number on the card are required to enable an approved card transaction to take place. So whilst the contactless card and card reader providers look to make their end of the transaction more secure e.g. by making the range from a reader to card very small or zero – a la Oyster – so making it difficult for the intercepting smartphone, as they too would have to be very close to the user to read the information. For example, if the reader range is limited to 2.5cm/ 1 inch radius then the interception technology typically has to be within 18cm / about 7 inches. Of course they may just look at encrypting the data stream from the contactless card to the reader just as online transactions are protected by SSL encryption.

Of course, if web sites such as Amazon have allowed card transactions to take place with only Name, PAN and Expiry Date details that goes against VISA and other card provider rules so they must review their practices as a matter of urgency. Meanwhile, whilst all this is going on, concerned users could go out and buy themselves a metal shielded wallet
for their cards to stop the ‘contactless pickpocketing’ of information by the fraudsters!

PCI DSS states that the CVV must not be stored anywhere except briefly when the card is authorised for use as payment then securely deleted. But the sellers of goods know they must use all the elements described else it will be they who will lose out as they are not
following the rules for using credit cards. It is the sellers who need to get their act together – I must admit I cannot remember any time when I have not been required to give all the details either over the phone, by post, email or Internet. Given that it was reported in the Channel 4 article that lists of websites which do not require CVV are shared by fraudsters though, clearly there is a huge risk being taken by the websites who allow this.

As for the contactless cards – like all new and emerging technologies -the initial security requirements will change in response to new and emerging threats as has always been the case. Users are more savvy now than ever they were so that helps as well in combating fraud. I take it you check your bank and credit card statements item by item on a monthly basis? If there has been fraud typically your bank will refund you after
an investigation and if the seller has been negligent they will be liable to fines and penalties and possible withdrawal of card payment services.

If you or your business need support with PCI-DSS compliance or other security related issues, you can visit the website http://www.advent-im.co.uk/pci_compliance.aspx