Thursday, February 26, 2009

PCI DSS - Random Musing #1

For anyone wondering why I posted random stuff about PCI when I've been harping on about Internet Filtering for months, well, I've been doing some work in this space for awhile.

For the uninitiated, PCI DSS is a standard for handling credit card security. It's been around for awhile now but its only really started gaining momentum in Australia in the past 12-24 months.

When you go to the Tier 1 merchant training sessions, talk to the QSAs, the acquirers, etc, the message is loud and clear - don't store cardholder data unless you really, really, REALLY have to. Just hand them over to the payment processor. At least that's the crux of it.

So why did I post those articles?

Well, my point is we rely on the payment processors and best practise tells you that is where the data should be going - and I agree 100%. Online businesses send their credit card data directly to the payment processors and minimise any storage of anything on their side of the fence. Pretty cut and dry right? Minimise your liability and protect your clients, reduce PCI-DSS audit scope where you can and everyone is happy - right?

Except for the consumer if their data gets stolen from your payment processor because they used your site.

You get the blame because they (the unfortunate consumer) used your site. Even though it was your payment processor's responsibility to protect that data and you did everything by the book. You get smeared by association and lose business. If you're really unfortunate and you follow this train of thought to its ultimate logical conclusion, couldn't your business go under? This scenario could easily kill a small business. If so, could the payment processor be open to a lawsuit?

PCI DSS states that any third parties you rely on for the processing of cardholder data must be validated they are PCI DSS compliant. But these articles prove that this isn't enough.

So this raises a bunch of questions that came to mind:
  • Are the payment processors implementing "real" security or just trying to get ticks in the boxes of their audit?
  • How many of these companies restrict outbound Internet access? Limit/filter HTTP access?
  • Failing that, how many segregate their core IT systems from their internal LAN? And who has access to these systems and how is access facilitated?
  • What controls are in place for their administrators and staff with privileged access? What sort of background checks are performed?
  • What boundaries and checks exist to measure/reduce/prevent authorisation creep?
  • Just how restrictive is the SOE? Do they have appropriate network access controls to prevent random devices (i.e. contractor laptops, executive's children, etc) being plugged into the office LAN?
I think most enterprises in general are pretty weak on the above controls. But can these business afford to not implement the most paranoid levels of security when they are owning so much risk and clearly high priority targets?

You be the judge.

The takeaway lesson I guess for security professionals is that we need to be asking some seriously tough questions (above and beyond PCI-DSS) when conducting vendor selection for payment processor facilities. We need to ensure they implement security to a level we think is commensurate to the level of risk. If you're in the middle of PCI DSS remediation and looking to consolidate payment processors, you're in the prime position to do so.

And somehow we are expected to be pragmatists about it. Can we make sure we aren't holding them to an impossible standard? Can the bar be set too high with cardholder data when the costs for breaches and liabilities involved are so high?

Like I said, you be the judge.

BTW, I'm not suggesting the above list of questions are perfect - or even a place to start. Those are just some random questions that just occured to me personally. I just couldn't help but wonder how serious these guys take their security and if so, to what extent do they take it and is it really enough?

- J.


cmlh said...


What about referring the association with the Payment Processor e.g. "Credit Card Payment Powered by XYZ Payment Processor"?

Jarrod said...

Gidday. Certainly no harm doing that and educating your clients. At least they can then see which payment processor you're using.

Not sure it will cut down on your number of compliants in the event of a breach - but I don't know that anyone has an answer to that. :(