November 13, 2006 by tim.

According to an article on TechWeb on November 10, 2006, an estimated 49 million adults in the US have been notified “that their personal information has been lost, stolen, or improperly disclosed” during the past three years. The survey concludes that data breaches have affected 1 in 5 adults in the US. The survey was conducted by Harris Interactive in October.

The Fraud Update column in the November 2006 issue of Transaction World addresses several pertinent data security topics, including the impact of version 1.1 of the PCI Data Security Standard. Bryan Sartin, Managing Principal of CyberTrust in Herndon, VA, emphasizes how important it is for merchants to know where sensitive customer data (such as cardholder information) is stored and who has access to it. “Companies need to have a data retention plan and a data control policy in place.” He also makes a very significant assertion: “There’s no record of any merchant being compromised who’s PCI compliant.”

As one who has been through the PCI certification process, it is comforting to know that no PCI compliant company has been hacked. However, the real key is that PCI compliance is NOT a one-time event — it dictates a constant, methodical process to ensure that data is always secure.

Posted in Data Breach Regulations | No Comments »

October 26, 2006 by tim.

This week’s Information Week has an excellent overview of data breach and privacy legislation that is under consideration by both the House and Senate. One bill, HR 4127, the Financial Data Protection Act, is ready for a House vote when Congress reconvenes after the November elections. It would require organizations to protect personal data and provide nationwide notice in the event of a data breach.

Here are some of the other key bills:

HR 6163 - Federal Agency Data Breach Protection Act

HR 3997 - Data Accountability and Trust Act

S 2169 - Financial Data Protection Act

See my previous post for an overview of existing data breach legislation.

Posted in Data Breach Regulations | No Comments »

October 25, 2006 by tim.

Visa, in conjunction with the US Chamber of Commerce, has published an alert that identifies the leading causes of data breaches. Full details can be found at the Chamber’s website. The five leading causes of card-related breaches are:

1) Storage of mag stripe data
2) Missing or outdated security patches
3) Use of vendor supplied default settings and passwords
4) SQL injection
5) Unnecessary and vulnerable services on servers

Also, the GreenSheet recently reported that Visa has increased its efforts to enforce compliance with PCI standards. The article states that all Level 1 merchants were required to validate compliance by Sept. 30, and that there are approximately 20 level 1 merchants that are currently subject to fines ranging from $10,000 to $100,000 PER MONTH for failure to comply.

In the October issue of Transaction World magazine, Michael E. Smith, Senior Vice President of Enterprise Risk and Compliance for Visa USA, has published an article entitled Targeting the Main Source of Cardholder Data Breaches. He cautions that “…some payment applications may inadvertently store prohibited, sensitive cardholder information,” creating a situation where merchants don’t even realize that they have a security risk. He also advises that merchants should check the list of PABP (Payment Application Best Practices) validated products on Visa’s site at www.visa.com/cisp. And he emphatically states that “Visa expects all payment application vendors to adhere to the PABP.” This article is one of the most direct declarations that I have seen of Visa’s intent to make PABP mandatory for all payment applications.

Posted in Payment Card Industry / Credit Card Security | No Comments »

October 20, 2006 by tim.

Given the complexity of Payment Card Industry (PCI) compliance, many organizations may conclude that complying with the PCI DSS will then ensure compliance with the myriad of state and federal laws and regulations that address privacy and data security (see Payment Card Industry Compliance and Data Breach Laws). Dr. Heather Mark addresses the relationship between PCI compliance and privacy in this month’s edition of Transaction World magazine.

She specifically addresses the legal requirement to provide a Notice, which is usually covered in the Privacy Policy on a website. She says that future articles will “attempt to answer the questions surrounding the intersection of privacy and security.” This should be a very helpful source of information for organizations trying to navigate these treacherous waters.

Posted in Data Breach Regulations, Payment Card Industry / Credit Card Security | No Comments »

October 13, 2006 by tim.

There is a great article in today’s edition of InfoWorld that talks about how the new credit card security requirements will have “repercussions across the entire high-tech industry,” according to writer Ephraim Schwartz. He specifically talks about how Visa’s Payment Application Best Practices (PABP) ”will quickly turn into de facto VISA requirements, as users of the software, such as merchants or card processors, face stiff fines for using noncompliant software.”

As a merchant, Visa mandates that it is your responsibility to use software applications that are PABP compliant. In fact, your merchant services agreement likely has already been revised with such language. However, simply choosing an application from the list does not satisfy the PCI Data Security Standards — the entire environment must be compliant, not just the application. This means that the server and entire network on which the payment application resides must comply with all of the PCI DSS.

Alternatively, merchants can outsource their payment processing to a Service Provider that has been recognized as fully PCI compliant by being included on Visa’s List of Compliant Service Providers.

Posted in Payment Card Industry / Credit Card Security | No Comments »

October 6, 2006 by tim.

Everybody knows that hackers focus their efforts on large e-commerce sites because of the huge treasure trove that these sites represent, right? Hackers aren’t going to waste their time going after small, virtually unknown e-commerce sites, are they? While this might be the conventional wisdom, Brian Krebs has a very interesting article in the 9/28/06 edition of The Washington Post that presents a totally different picture.

The article, titled ID Thieves Turn Sights on Smaller E-Businesses, describes how hackers penetrated a small e-commerce site and posted stolen credit card information “into an online forum that caters to criminals engaged in credit card and identity theft.” Mr. Krebs also exposes the sometimes false sense of security that is conveyed by security seals on sites.

I highly recommend this article as an expose’ of how this dark world operates. Certainly, it is good for a site to be tested by a security scanning vendor. However, as Mr. Krebs points out, this is not foolproof, and he cites examples of how hackers penetrated sites that were thought to be secure. Here is one particularly revealing line from Mr. Krebs’ article: “Jason Lam, who teaches a course on securing Web sites for the SANS Institute, a Bethesda, Md.-based security research and training group, estimated that Web site scanning services in most cases only identify about 60 percent of a Web site’s potential security problems.”

This article really exposes the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). Many merchants and service providers claim that they are secure because they use SSL, or because they pass all the tests from a scanning vendor, or because they have a firewall. Yes, these are all good measures, but they are just a small part of the rigorous requirements of the PCI DSS.

As a merchant, particularly a small- to medium-sized e-commerce site, the easiest way to comply with the PCI requirements is to avoid them altogether by outsourcing to a PCI-compliant service provider. But don’t just take their word for it — the only way to know if a service provider is PCI compliant is to find them in Visa’s official List of CISP Compliant Service Providers.

Posted in Payment Card Industry / Credit Card Security, Electronic Payment Security - General | No Comments »

October 3, 2006 by tim.

As if complying with the Payment Card Industry requirements, including the newly revised Data Security Standard, were not already challenging enough, any entity that stores sensitive personal information must also comply with a myriad of regulations such as data breach laws. About.com has an excellent section about identity theft and data breach disclosure.

Currently, there is no federal law that directly addresses data breaches, but numerous states have enacted their own legislation. Unfortunately, these laws are very diverse, with little consistency on even fundamental components like the definitions of key terms such as breach, personal information, and risk. Furthermore, since these laws protect residents of each of these states, an entity that stores personal information is subject to that resident’s state laws, even if the entity does not have a location in that state.

One of the best sources that I have found for concise information about state laws regarding data breaches is the Security Breach page on the VigilantMinds site. They provide an executive summary of state legislation as well as a matrix that compares key provisions of all of the state laws. In addition, they provide links to the actual legislation of each state. While this is certainly not a substitute for seeking legal advice on this matter, their site can save you and possibly even your attorney a lot of time.

Earlier this year, a draft bill was debated by the House of Representatives. The bill was called the Data Accountability and Trust Act (DATA), and if passed, it would have preempted all existing state laws. For now, the bill has been tabled. Dr. Heather Mark published an article entitled The Ever Changing Challenge of Compliance that gives an excellent overview of the provisions of this bill.

If your organization stores personal information, I hope that the links above will help you better understand the maze of regulations related to data breaches.

Posted in Data Breach Regulations, Payment Card Industry / Credit Card Security | No Comments »

September 29, 2006 by tim.

Earlier this month, the PCI Security Standards Council announced version 1.1 of the Payment Card Industry Data Security Standard (PCI DSS). It is a bit challenging to find a description of the changes from the original version, at least on the “official” sites. However, there have been some fairly informative articles in industry publications that address some of these points.

In an article in InfoWorld entitled Card Industry Targets App Security, Paul F. Roberts highlights how the new standards focus on application security, especially as it relates to track data. Citing an analyst at Gartner, Mr. Roberts writes that track data “is valuable to hackers and identity thieves because it can be used to make counterfeit cards.” Martin Elliott, director of corporate risk and compliance at Visa, also spoke with Mr. Roberts about the risks related to track data, and Mr. Roberts writes, “In fact, many merchants may be unaware that their payment applications collect and cache the track data, leaving the merchant unprotected while giving the merchant a misplaced sense of security.” Mr. Roberts has exposed the myth of security from packaged applications. Visa has published its Payment Application Best Practices to address these security concerns, as well as a List of CISP-Validated Payment Applications.

Another article, published in Transaction World under the title What’s Next With PCI Compliance, also addresses the Payment Application Best Practices. She points out how the credit card companies have imposed tighter restrictions on even lower volume merchants, stating that ”POS developers as well as smaller and mid-size merchants are now under scrutiny.”

Certainly, by imposing the tighter standards on payment applications and smaller merchants, Visa and MasterCard are forcing these organizations to spend drastically more on PCI compliance. However, with the proliferation of hacking, the entire payment network is only as strong as its weakest link, so even these holes must be plugged. As an alternative, these organizations — especially merchants — should investigate their options for outsourcing their payment processing to a certified PCI compliant service provider, which may offer substantial savings versus the costs of self-compliance.

Posted in Payment Card Industry / Credit Card Security | No Comments »

September 25, 2006 by tim.

What is a PCI Service Provider? 

Any company that stores, processes, or transmits cardholder data on behalf of another entity is defined to be a Service Provider by the Payment Card Industry (PCI) guidelines. Visa’s website provides the clearest information about how the PCI Data Security Standard (DSS) applies to Service Providers. However, Visa is just one of the companies participating in PCI, so a Service Provider must understand and adhere to the security program for all major credit card companies with its own set of requirements for compliance and registration.

How do we know what Service Provider Level we fit in?

Each of the credit card companies that participate in PCI has its own rules that define Service Provider Levels. For example, Visa, whose rules are available on its CISP for Service Providers page, defines the levels based on the number of annual transactions. However, there is one very important distinction in Visa’s rules that is overlooked by many service providers. By Visa’s definition, any service provider that stores, processes, and/or transmits cardholder data as part of a payment transaction is a Level 1 Service Provider. So in other words, a company that has access to cardholder data as part of a payment is automatically defined to be Level 1.

MasterCard is also very clear in defining the levels for Service Providers for its SDP program. MasterCard defines two categories of Service Providers: Third Party Processors (TPP) and Data Storage Entities (DSE). The Service Provider Levels Defined page defines all Third Party Processors to be Level 1.

What are the requirements for becoming a Level 1 Service Provider in compliance with the PCI DSS?

There are two primary qualifications of a PCI Level 1 Service Provider. The first is the successful completion of an On-Site PCI Data Security Assessment that is validated by a Qualified Security Assessor. To pass the Data Security Assessment, the company must demonstrate compliance with 100% of the requirements detailed in the PCI Security Audit Procedures, which contains over 250 specific points of compliance. The second qualification is successful completion of a PCI Security Scan by an Approved Scanning Vendor. Given the complexity of meeting the requirements, the compliance process often takes more than one year to complete.

Posted in Payment Card Industry / Credit Card Security | 2 Comments »

September 25, 2006 by tim.

We are a small company or organization with a fairly low volume of transactions. Do we have to comply with PCI?

Absolutely. The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data must comply with the PCI requirements. Furthermore, the merchant agreement typically has language that binds the merchant to comply with PCI. The specific PCI compliance requirements for merchants vary based on the transaction volume of the merchant.

While the compliance requirements are somewhat relaxed for smaller merchants, there are still many complexities that even a small merchant should consider, and I will mention only three major ones here. First, every merchant must comply with all of the various card companies’ requirements (see this post for more detail), so someone in the organization must invest time in understanding and complying with the maze of these requirements. Second, every merchant must validate compliance by hiring an Approved Scanning Vendor and completing a security compliance assessment. The scanning vendors charge widely ranging fees for their services, and many merchants may find it necessary to hire a security consultant to complete the assessment, not to mention the costs of purchasing hardware, software, or consulting to meet the PCI standards. Third, every merchant is subject to the data breach laws of any state whose resident(s) the merchant has collected information that is subject to these laws. Clearly, the costs of PCI compliance should be considered before a merchant undertakes any project involving cardholder data.

Is there any way for a merchant to avoid complying with PCI?

Well, sort of. Visa and the other companies have made it clear both on their websites and in their merchant agreements that the merchant has primary responsibility for complying with the PCI requirements. The easiest way for a merchant to comply is to outsource the handling of cardholder information to a Service Provider that is fully PCI compliant. The best way to find such a company is the List of Compliant Service Providers published by Visa.

We already use a service provider for accepting online payments. Does this ensure that we are PCI compliant?

It depends. Unfortunately, many service providers do not fully understand PCI compliance. In fact, some service providers that claim to be PCI compliant have not completed the validation and registration requirements. The only way to ensure that you are complying with the PCI requirements is to use a Service Provider that is on the List of Compliant Service Providers published on Visa’s website.

We already use SSL on our website pages that transmit cardholder data. Does this make us PCI compliant?

No. The Payment Card Industry (PCI) Data Security Standard (DSS) is comprised of twelve general requirements. SSL encryption is essential, but it merely satisfies only a small part of one of the twelve requirements (#4).

We do not store any cardholder data. Does this make us PCI compliant?

No, even if you do not store cardholder data, you must still be fully compliant with all of the PCI DSS. Visa directly states this in their Frequently Asked Questions (see question 3).

We process credit cards on a server that is behind a firewall on our in-house network. Does this make us PCI compliant?

No. A firewall is certainly required for PCI compliance, but it only addresses one of the twelve general requirements. Furthermore, the PCI DSS places very rigorous requirements on the functionality of the software applications on that server and on the configuration and management of that server. Visa does publish a List of Validated Payment Applications, yet the document includes a blatant disclaimer that use of an application on the list does not yield PCI compliance. Although running payment applications on an in-house server may offer some business advantages, this approach may substantially increase the complexities of PCI compliance because it then mandates compliance for the entire internal network.

What advantages does a merchant gain by using a validated PCI-compliant Service Provider?

To be clear, any service provider that has completed the PCI compliance process is named on Visa’s List of Compliant Service Providers. By using one of these Service Providers, a merchant is deemed to be fully PCI compliant. Furthermore, by using such a Service Provider, a merchant can qualify for Safe Harbor, thereby eliminating liability in the event of a data compromise.

Posted in Payment Card Industry / Credit Card Security | No Comments »