Thursday, February 26, 2009

PCI DSS - Random Musing #1

For anyone wondering why I posted random stuff about PCI when I've been harping on about Internet Filtering for months, well, I've been doing some work in this space for awhile.

For the uninitiated, PCI DSS is a standard for handling credit card security. It's been around for awhile now but its only really started gaining momentum in Australia in the past 12-24 months.

When you go to the Tier 1 merchant training sessions, talk to the QSAs, the acquirers, etc, the message is loud and clear - don't store cardholder data unless you really, really, REALLY have to. Just hand them over to the payment processor. At least that's the crux of it.

So why did I post those articles?

Well, my point is we rely on the payment processors and best practise tells you that is where the data should be going - and I agree 100%. Online businesses send their credit card data directly to the payment processors and minimise any storage of anything on their side of the fence. Pretty cut and dry right? Minimise your liability and protect your clients, reduce PCI-DSS audit scope where you can and everyone is happy - right?

Except for the consumer if their data gets stolen from your payment processor because they used your site.

You get the blame because they (the unfortunate consumer) used your site. Even though it was your payment processor's responsibility to protect that data and you did everything by the book. You get smeared by association and lose business. If you're really unfortunate and you follow this train of thought to its ultimate logical conclusion, couldn't your business go under? This scenario could easily kill a small business. If so, could the payment processor be open to a lawsuit?

PCI DSS states that any third parties you rely on for the processing of cardholder data must be validated they are PCI DSS compliant. But these articles prove that this isn't enough.

So this raises a bunch of questions that came to mind:
  • Are the payment processors implementing "real" security or just trying to get ticks in the boxes of their audit?
  • How many of these companies restrict outbound Internet access? Limit/filter HTTP access?
  • Failing that, how many segregate their core IT systems from their internal LAN? And who has access to these systems and how is access facilitated?
  • What controls are in place for their administrators and staff with privileged access? What sort of background checks are performed?
  • What boundaries and checks exist to measure/reduce/prevent authorisation creep?
  • Just how restrictive is the SOE? Do they have appropriate network access controls to prevent random devices (i.e. contractor laptops, executive's children, etc) being plugged into the office LAN?
I think most enterprises in general are pretty weak on the above controls. But can these business afford to not implement the most paranoid levels of security when they are owning so much risk and clearly high priority targets?

You be the judge.

The takeaway lesson I guess for security professionals is that we need to be asking some seriously tough questions (above and beyond PCI-DSS) when conducting vendor selection for payment processor facilities. We need to ensure they implement security to a level we think is commensurate to the level of risk. If you're in the middle of PCI DSS remediation and looking to consolidate payment processors, you're in the prime position to do so.

And somehow we are expected to be pragmatists about it. Can we make sure we aren't holding them to an impossible standard? Can the bar be set too high with cardholder data when the costs for breaches and liabilities involved are so high?

Like I said, you be the judge.

BTW, I'm not suggesting the above list of questions are perfect - or even a place to start. Those are just some random questions that just occured to me personally. I just couldn't help but wonder how serious these guys take their security and if so, to what extent do they take it and is it really enough?

- J.

Web censorship plan heads towards a dead end

This sounds too good to be true:

"Senator Nick Xenophon previously indicated he may support a filter that blocks online gambling websites but in a phone interview today he withdrew all support, saying "the more evidence that's come out, the more questions there are on this"."

I think the writing is on the wall.

The article highlights that clearly Senator Conroy is pushing this despite overwhelming lack of public support and ignoring all facts and professional opinion and discourse. His blatant disregard for conducting fair and representative tests by failing to include any of the Tier 1 ISPS, is the icing on the cake IMHO. While it seems that sanity shall prevail, we should not let our guard down and should keep pushing an end to this ridiculuous move and see it through to the very end.

Oh, before I forget - I found this quote to be even more poignant:

""Unfortunately, such a short memory regarding the debate in 1999 about internet content has led the coalition to already offer support for greater censorship by actively considering proposals for unworkable, quick fixes that involve filtering the internet at the ISP level," Labor Senator Kate Lundy said in 2003."

We who forget the past are doomed to repeat it... indeed.

- J.

Tuesday, February 24, 2009

PCI-DSS compliant payment card processors targeted

Two articles worth reading.


"What concerns me is that Visa and MasterCard, they clearly know who it is," Shettler said. "That just won't say anything because the processor hasn't come clean. The sort of feel it gives people is that Visa and MasterCard are covering for some unnamed organisation."

and here:

"This is clear evidence to me that the criminals know how to bypass the traditional security controls in place today," Litan said. "It's clear that they're targeting the processors now because there's much more data there. [Processors] are more centralized and the thinking is that more attention is paid to their security, but they are at the nerve center of processing systems."

I hope these guys are implementing real (paranoid level) security given they're operating in high risk environments and not paying lip service to the PCI DSS standard.

- J.