Tag Archives: PCI

Credit Cards in the Cloud, Oh My!

Way back in the dark ages of 2013 the PCI Security Standards Council (PCI SSC) released a document regarding processing credit cards in the cloud.  It was 52 pages.

This month the PCI SSC released a new version of that same document.  It is now 83 pages.

This version seems to better understand the risk of the cloud – where you don’t even know what precise infrastructure you are running on.

Ultimately, if you accept credit cards, you own the risk and contractually, you are responsible, even if the cloud provider says “trust us”.  For a copy of the new standard, click here.

Information for this post came from The Register.

What does this mean for you?

Of course, if you don’t accept credit cards, then it is not a concern, but most organizations do accept payment cards in some form.

Some companies have outsourced payment cards to companies like Paypal or Square.  That used to mean that you weren’t accountable for security, but that changed a couple of years ago.  The requirements are simpler, but you still are responsible.

But lets say you are a company that does e-commerce and the servers run in the cloud.  You may collect the credit card info and hand it off to a gateway.  This applies to you.

In general, all companies that accept credit cards are required to complete an assessment at least once a year.  The PCI Council has created over a dozen different assessments, depending your configuration.

For everyone but the largest players, you can do the assessment yourself.  You can also get an outside provider to help you complete the assessment.  We call this a guided self-assessment. You are responsible for the results, but we can help you navigate the process.

Your credit card processor can fine you or drop you altogether if you do not provide them your completed assessment if they ask.

Also, the assessment is pass-fail.  Either you answer all the questions correctly, or your fail.  One NO is a fail.

If you have questions, please give us a call.





Businesses Get More Time To Upgrade Buggy Encryption Software

The PCI Council, the standards body that dictates the rules for payment card (like Mastercard and Visa) merchants and service providers last year released a directive that everyone had to upgrade their software and eliminate SSL 3.0 and TLS 1.0 in favor of newer versions – TLS 1.1 and 1.2.  The reason was that there are known security holes in those versions of software that are UNFIXABLE – they cannot be patched.  They set a deadline of over a year from when they released the directive for people to fix the problem.

Large organizations apparently complained that they have implemented a bit of a rat’s nest (no big surprise) and with everything else on their plate, they were not going to be able to get to fixing the broken SSL implementations.

As a result, the PCI Council changed the deadline from June 2016 to June 2018 – three years from the original directive.

One thing that is important to understand is that just because the PCI Council changed the date by which, if you have not upgraded, that you will be in violation of your merchant agreement with your bank, you are not relieved of liability in case of a breach.

In fact, I assume that plaintiff’s counsel will be asking if a breached merchant was still running a known vulnerable version of encryption at the time the breach occurred.  One would assume that this would not work to the merchant’s advantage at trial or in settlement negotiations.

Given this announcement, I expect that the hacking enterprises (like China, Russia and Ukraine, for example) will be looking for enterprises that have not upgraded their encryption software and specifically target them.  Given that there are known attacks, that makes these businesses an easy target.

What I am suggesting here is that even though the PCI Council has granted an extension, businesses should not delay their encryption upgrade projects.

The payment card industry, as a whole, spends tens of BILLIONS of dollars a year on payment card fraud.  A 2011 Forbes article says that the industry loses $190 billion a year to credit card fraud.  Even if Forbes has the number wrong by a factor of 2 or 3 too high, that is still a huge number.  That cost is reflected in higher prices and fees that customers – consumers and businesses pay.  By delaying the fix to encryption by two more years, the PCI Council is guaranteeing that the fraud costs will rise over that period and possibly significantly.

Information for this post came from Slashdot and the PCI Council.

PCI Compliance

Dark Reading reported on Verizon’s PCI compliance assessment and I think the numbers are interesting, but not terribly unexpected (see article).  The actual report, all 84 pages, is available here.

Most of the time (maybe always), when a business has an assessment done by a third party assessor, that company will do an interim assessment first.  The purpose of the interim assessment is to find as many weaknesses as they can so that the business can fix them before the final assessment.  That way the final assessment falsely inflates the level of compliance.  As a result, Verizon looked at the interim assessments instead of the final ones.

Verizon said that last year, about 20 percent of the companies were fully compliant at the interim assessment.  That means, of course, that 80 percent of the businesses that have a contractual requirement to be PCI compliant were not compliant.

The good news in that, if there is any, is that the 20 percent number is an improvement.  That number was 11% in 2013 and 7.5% in 2012.  That means that between 2012 and 2014, the number of businesses that managed to comply with the terms of the contract that they signed with their banks for at least one year increased by almost a factor of 3.   If you are a glass half full kind of person, that is good news.  If you are not, that means that before, more than 90% of the businesses were out of compliance and now only 80% are out of compliance.

Verizon also said that only 28% of the businesses they assessed managed to stay compliant from one review to the next.  That means that more than two thirds of the businesses could not remain within the terms of their contracts for even one year.

That kind of explains why we see all the data breaches in the news.  I think that is not likely to change unless banks start enforcing the terms of the contracts.  Banks don’t want to do that because they are afraid you will take your business somewhere else.

This difference – between a point in time validation and compliance, may, in fact, be the key point in the lawsuits against Home Depot.  Home Depot has admitted that they “may not” have been in compliance at the time of the breach.

PCI compliance is a pretty low bar – even if you are compliant, it does not mean that the bad guys won’t get in.  But it is fair to say that if you can’t even maintain that level of security between reviews, that other, more complex security measures are even less likely to be in place and effective.

One strategy – actually the one that many businesses prefer – is to hope that the hackers don’t come visit you.  With only around 3,000+  breaches reported last year out of millions of businesses, that seems like a good bet.

The problem is that only breaches that violate the law (like the theft of non public personal information or health care information) are required to be reported.  And, while I can’t prove it, I bet that many of those go unreported.

Also, companies will only report breaches that they know about.  For example, Lowes had a breach that they announced last May (2014) when the attackers had been inside their system since July 2013.  If they were asked in say, January, 2014 if they had been breached, they would have answered NO.  They would have been wrong, but that is what they would have said.

Finally, theft of intellectual property is often not reported.  After all, the police will likely not be able to catch the thieves and as long as it is not publicly visible, the news won’t pick it up.  An example of this is the F-35 Joint Strike Fighter that Lockheed is building at the cost of hundreds of billions of dollars.

Mashable reported that documents leaked by Edward Snowden and published in Der Spiegel show that the NSA was aware that the Chinese had stolen terabytes of documents on the F-35.  That data was used to help China create the J-20 and J-31 stealth fighters.

The report that Snowden leaked was classified Top Secret.  In part they do that because once the “cat is out of the bag” they don’t what the Chinese to know that we know.  The other reason is that after spending $300 billion on the F-35, they don’t want to admit that the Chinese were able to steal the plans and build their version for a whole lot less.

How the F-35 story applies to regular businesses is that if they have intellectual property breaches, they typically mark it with their version of Top Secret, if they even know they were hacked and it isn’t reported.  This also includes stuff like sealed bids.  If your competitor hacks you and finds out what you are going to bid and under bids you, how do you prove that.  You just lose the work.

Bottom line is that businesses are not doing very well at security and it makes the job of the bad guys a whole lot easier.




Why we are going to see more card breaches at retailers

An article in Venturebeat the other day suggested 7 reasons why we are going to continue to see credit card breaches at retailers.  First I will share their list, then I will add my own.

Their list includes:

  1. The PCI standard is failing to protect merchants from breaches
  2. Merchants are not implementing P2PE
  3. Retailers introduce new payment hardware (such as tablets) that are neither designed nor tested for security issues in a hazardous retail environment
  4. Merchants add new features to their payment platforms as patches to already buggy systems.
  5. Many of the POS systems are still running Windows XP
  6. Many card breaches lead to Russia.  Russian hackers attack American systems as a patriotic move
  7. EMV is not a silver bullet.

The article goes into more detail on each of these, but these reasons probably are obvious.  I don’t disagree with any of these conclusions.

Possibly the biggest reason that we will see continued breaches is that fixing the problem is hard.  It requires changes to software, way more testing, replacement of old, outdated platforms and changes to business processes.  All of these require time, money and possibly expertise that both brick and mortar and online retailers have not yet prioritized high enough.  So, what retailers do is comply with the PCI rules and state laws and leave it at that.

On top of it, no matter what you do, there is no quick fix.  You can do many different things and still get hacked.  It has been, and likely always will be, a cat and mouse game.

And, the public is quick to forget (although this has not yet worked for Target – they are still struggling a bit), so retailers add a few more patches and call it good.

From the retailer’s perspective, if someone told you to spend an unending bucket-o-cash on a problem without any assurances that the problem will be fixed, what would you do?

Anyone got a silver bullet?

Mitch Tanenbaum