Thursday, November 7, 2013

PCI DSS Version 3.0 Has Arrived

Here are the links on the PCI Security Standards Council web site for the new version of the Payment Card Industry Data Security Standard, PCI DSS.

Press release:


The Standard:

Summary of Changes:


Version 3.0 of the Payment Application Data Security Standard, PA-DSS, has also been released today. Go to the PCI Council's web site for more information:

Wednesday, November 6, 2013

On the Eve of PCI DSS 3.0: Scope Creep

Okay, it's coming tomorrow. We have been hearing about it for a very long time and the wait is almost over - PCI DSS version 3.0 will be released on November 7, 2013.

I have been on pins and needles about this for almost a year. And wondering about one part of it for over two years. When I started in my position at Michigan State University in 2011, I had many conversations about PCI scope with Walt Conway. One thing we discussed from time to time were documents from both MasterCard and Visa about the risks surrounding the use of hosted payment pages for e-commerce sites. The main point of these documents was that our usual understanding about what was in and what was out of scope for PCI compliance did not necessarily cover all the risks, and that merchants should do more than they were currently doing to protect cardholder data.


Like many colleges and universities back in the 00s, we listened to and followed the advice to reduce and limit our scope of PCI compliance by eliminating cardholder data wherever we could. We had a home-grown payment processing system that stored, processed, and transmitted cardholder data. Yikes! SAQ D!

We decided to turn that part of our e-commerce business over to a third-party payment processor. We invested in a system that would allow us to continue using our internally developed e-commerce applications, but we would now send our customers off to our service provider to handle the payment part of the application. When they clicked the Checkout button their browser would then display a page from our vendor, where the cardholder data would be entered and collected for processing. Boom! No more cardholder data on MSU servers.

Relief & Dark Clouds

It was glorious and we breathed a sigh of relief that we had made such a significant reduction in the effort needed to maintain PCI compliance at our university. And every unit on campus that had their own e-commerce shopping cart app could continue to use them without having to be concerned about PCI DSS, except in a very minimal, SAQ A kind of way.

But then I saw these documents from the card brands about the risks of hosted payment pages. MasterCard published their bulletin back in 2010, the year when PCI DSS version 2.0 was released. And MasterCard was saying, "Wait a minute here! You're not necessarily off the hook just because someone else is handling your cardholder data for you." They warned of the rise in what are called "man-in-the-middle attacks." The problem they were seeing was that servers that did not touch cardholder data at all, but were part of the e-commerce transaction, these servers were being compromised and the URL for the payment page was being changed. Customers were being re-directed to malicious web pages that would impersonate the real payment pages and steal the customer's cardholder data. And they might even complete the real payment for the customer, who would not suspect a thing. Oh. This is not good.

I started to wonder if these warnings might eventually show up in a future version of PCI DSS, and it looks like that is what has now happened. The first official clue was in the PCI DSS E-commerce Guidelines, submitted by the E-commerce Special Interest Group in January, 2013. Then the draft of PCI DSS v3.0 confirmed this where it defines "system components" as including "Systems that...may impact the security of (for example, name resolution or web redirection servers) the CDE." And the PCI council was very explicit about web redirection servers at the PCI SSC North American Community Meeting in Las Vegas this past September. Those servers are in scope.

Now What?

What will this mean? For our university, we will need to start to define controls that need to be applied to our e-commerce servers that we currently consider to be out of scope. But exactly which controls should those be? According to the E-commerce Guidelines, those would be the "Applicable PCI DSS requirements." What is applicable?

In a chart on page 22 of the E-commerce Guidelines, regarding hosted payment pages, we find this:

Merchant is responsible for:
  • Managing website and servers (if self-hosted), including applicable PCI DSS requirements
  • Applicable PCI DSS requirements for managing third parties, (e.g., Requirement 12.8)
  • Having written agreements with any third parties and ensuring they protect cardholder data on behalf of the merchant, in accordance with PCI DSS.
  • Securing the web page(s) containing the redirection code and/or function(s).
 Again, "applicable PCI DSS requirements" as well as "Securing the web page(s) containing the redirection code." But what, exactly, is applicable? What does "securing" entail? They may as well have said, "It depends." Those question were on the mind of many assessors in Las Vegas in September. As it stands now, I will have to go through every requirement and sub-requirement to decide if it is applicable. As much as I dislike PCI DSS being denigrated as "checkbox security," the fact is in this situation I want a checklist! If, goodness forbid, we had a data breach and had decided a particular PCI requirement didn't apply but the forensic investigator decided it did apply, we would have an even bigger problem than we thought we had.

But, surprisingly to me the Council told the community the very next morning that they listened to our concerns. They didn't make it a hard promise, but it sounds like they are going to create a new SAQ that covers "web redirection" servers such as I'm concerned about. For those situations where SAQ A just doesn't cut it any more. And they also talked about some additional guidance on PCI DSS scope. After all the hoopla about the Scope SIG that disappeared, they owe that to us.

PCI DSS version 3.0 will not be revolutionary, although it is still full of changes. This business about scope isn't even in one of the actual requirements. But version 3.0 looks like it will still say, as it said in version 2.0, "The first step of a PCI DSS assessment is to accurately determine the scope of the review." And scope will continue to be one of the most important things I need to consider when assessing compliance at my school.

We'll see what PCI DSS version 3.0 actually says tomorrow. Until then!

On the Eve of PCI DSS v3.0 - About

Here is a summary of information about the new standard, which will be released tomorrow.

What do we know about PCI DSS v3.0?

  • Release date is November 7, 2013
  • Becomes effective on January 1, 2014
  • Version 2.0 remains in effect until December 31, 2014 to provide a transition period
  • Version 3.0 introduces more changes than Version 2.0
  • There will be several new sub-requirements
  • Some of the sub-requirements will become effective on July 1, 2015. They will be best practices until then
  • Not all documents will be released on November 7. These will be available in 2014:
    • Revised SAQs
    • New SAQ for web-redirection payment environments
      • Announced at the North American Community Meeting
    • ROC reporting template
    • ROC reporting instructions
    • New AOCs
    • Prioritized Approach to PCI DSS Compliance

What factors have influenced the changes in PCI DSS v3.0?

  • Criminals are still targeting cardholder data
  • Many security breaches are tied to:
    • Lack of payment security awareness and education
    • Malware
    • Weak passwords and authentication
    • Slow self-detection
    • Poor implementation of the PCI Standards
    • Security issues with third-party providers
    • Lack of maintenance to ensure compliance between assessments
    • Inconsistent assessments

What will PCI DSS v3.0 do?

  • Focus more on higher risk areas
  • Clarify many of the requirements
  • Help to improve understanding of the intent of the requirements
  • Add flexibility to implementation
  • Help improve consistency of assessments with more stringent assessment procedures
  • Evolve with changing best practices, as well as risks and threats

What are the major themes in PCI DSS v3.0?

  • Encourage proactive approaches that focus on security rather than compliance
  • Make PCI DSS “business-as-usual”.
  • Increase awareness and education
  • Increase flexibility to allow better security
  • Security as a shared responsibility

What kinds of changes are included in PCI DSS v3.0?

  • Clarification – Concise wording to ensure that each requirement matches the desired intent
  • Additional Guidance – To increase understanding
  • Evolving Requirement – Keep standards up-to-date with market changes and emerging threats

Friday, September 13, 2013

Announcements and Introduction

Walter T. Conway, Jr.
Over the past ten years, The Treasury Institute for Higher Education has committed resources to promote education in PCI DSS compliance and best practices throughout the industry.  This includes facilitating well attended workshops annually, managing an industry PCI-DSS blog and being a strong voice on industry councils.  As most of you know, the Institute lost a friend and colleague with the passing of Walt Conway who put a tremendous amount of time into this effort.

Going forward, the Institute will continue its commitment to PCI DSS education.  We have asked three individuals, Ron King, Pete Campbell and Gene Willacker to lead our efforts in this important area.

  • Ron will be responsible for overall coordination and co-moderation for the 2014 workshop, including chairing the Program Committee.
  • Pete will co-chair the 2014 workshop Program Committee and co-moderate the workshop and serve as a representative of the Institute and NACUBO on the PCI Council.
  • Gene will oversee the Institute's PCI Blog.

First and foremost we thank Ron, Pete and Gene for their continuing the Institute's PCI work and growing the presence developed by Walt.  Most importantly, we are excited that the Institute's PCI blog is back online and we will begin planning the 2014 PCI DSS workshop.  Expect the program committee to be reaching out to the higher education PCI community in the near future to solicit presenters and topic ideas as it prepares the 2014 agenda.

By way of introduction...

Gene Willacker is the PCI Compliance Officer for Michigan State University (MSU). This position was created in 2011 in order to improve information security and to minimize institutional risk by strengthening the university's PCI compliance efforts for its nearly 450 merchant operations. At MSU, PCI compliance is a Treasury function under the Office of the Controller, supporting the university through the MSU Cashier's Office.

Gene has been working in several areas of the information technology field since 1990, focusing on IT security since 2002. Prior to joining the Controller's Office, he was the Information Security Administrator for MSU's Division of Residential and Hospitality Services (RHS), a 5,000-employee business unit operating in every area of the MSU campus. While there, Gene developed PCI compliance strategies for the division and managed its network security operations. Gene is certified by the PCI Security Standards Council as a PCI Professional and as a PCI Internal Security Assessor (ISA).

Gene's philosophy is that information security and PCI compliance need to be approached with the understanding that they must be an everyday part of business as usual. They are not simply information technology initiatives or checkbox audits, but the end result of business and technology working together to minimize institutional risk.

Please join us in welcoming Gene to our PCI blog.

And remember to save the date for the 2014 PCI DSS workshop:

Monday, April 28th  through Wednesday, April 30th
The Palmer House
Chicago, Illinois, US

Dennis W. Reedy
Jon K. Speare
Executive Directors
Treasury Institute for Higher Education

Monday, July 15, 2013

Walt Conway Memorial

Walter Conway
June 25th, 2013

It is with great sadness that the Treasury Institute’s Board announces the passing of a good friend and colleague, Walt Conway.  Over the past twenty years, Walt was a major part of the Treasury Institute and its predecessor programs, helping all of us in higher education.  Walt became a friend and mentor teaching us much more than treasury management.  He was loved and respected by all that had the opportunity to work with him.  

The Treasury Institute for Higher Education is a stronger organization because of Walt’s involvement and his drive to make us all better. Along the way, Walt taught us to enjoy our work, our roles, and more importantly, to build upon the difference we can all make.  The Treasury Institute will continue Walt’s work with the hope that eventually we can live up to his accomplishments.

The Treasury Institute will be making a contribution to the Walter T. Conway, Jr. Fund at Episcopal Community Services,

For the present, this blog will go silent, but hopefully not for long.  Walt’s commitment to PCI education within Higher Education was second to none.  We will do our best to continue this commitment by resuming the PCI DSS Blog within the next few months.

--The Treasury Institute for Higher Education

Tuesday, April 23, 2013

Verizon Data Breach Investigation Report Released

Verizon has released the 2013 edition of its annual Data Breach Investigation Report.  You can click here to download a copy from their website.

The situation with data compromises is complex, they note in the introduction:
All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity . 
You can focus initially on the executive summary to get a broad picture.  For example, who are the victims (mostly financial institutions and retail), who are the bad guys (overwhelmingly outsiders), and how the breaches occur (network intrusions, overwhelmingly; so, how are your quarterly external network scans going?...).

Among the most frustrating observations is that the breaches continue to be opportunistic, of a relatively low level of difficulty, and driven by financial motives.

The report has 63 pages of information, charts, and graphs.  I recommend it to you.  I am still digesting it, so there may be more later.  For a great summary, the folks at Securosis prepared this overview.  But please don't stop there.   Download the report and read it yourself!

Sunday, February 17, 2013

PCI Workshop: Something for Everyone

I have received a few questions on the upcoming PCI Workshop, and I wanted to address them to avoid any misunderstanding.  Specifically, the Institute wants everyone to know that:

  • The PCIP education is part of the Workshop 
  • The PCI Workshop is for for business, finance, treasury, and everyone involved in PCI compliance 
  • Attendees do not need to take the PCIP exam; pursuing the credential (at a discount) is a bonus
  • There are parallel sessions for advanced PCI practitioners.  

Everyone in the Higher Ed community should understand what a great program the Treasury Institute has put together for you this year.

The first thing to know is that the PCI Professional (PCIP) education is included as part of the workshop.  There is no extra charge, and you do not have to register separately.  In past years the Institute always provided a half-day update and PCI refresher, which, with the morning PCI 101 session actually stretched to take up most of one full day.  This year we again have a full-day (Monday afternoon plus Tuesday morning) of in-depth PCI education.  The differences are that it will be delivered by the Director of Training for the PCI Security Standards Council (!), and it gives attendees the option (see below) of earning their PCIP credential.  The PCIP education is available to all attendees as part of the PCI Workshop.

I have pointed out that the normal cost of this education alone is more than twice what the Institute charges for the workshop.  It is, therefore, also a pretty great deal for attendees.  One reason for the great value is the fact that the Treasury Institute's not-for-profit status; the other reason is the generous sponsors.  We all need to be thankful for the great support of the PCI Workshop's sponsors listed on the registration page.

Someone saw that we had two tracks this year, and they questioned whether the PCI Workshop was still primarily focused on the Treasury Institute's core audience of finance, treasury, and business professionals.  The clear answer is: yes.  The PCIP education, for example is not exclusively IT-focused.  As the PCI Council states on its website, the training is "for industry professionals who demonstrate their expertise in and understanding of PCI standards."

The agenda (see below) has two tracks this year for the first time.  This change is in response to requests from attendees for separate sessions to address areas of primary interest to them.  The PCIP training is for everyone.  The separate sessions Tuesday afternoon offer one track that is more business process focused, and another that is more IT-focused.  My guess is that some attendees will go back and forth between sessions and tracks (which I plan to do, too!).

Another question I got was whether attendees had to take the PCIP examination.  The answer is a simple: no.  The choice of taking that test after the Workshop is entirely yours.  The PCI Council offers PCI Workshop attendees a discount (making the whole thing an even better deal!).  My guess is that many if not most attendees will want to leverage the opportunity to earn the PCIP credential.  However, if you only want the great education, that is fine and you and your institution are ahead of the game.

Lastly, what if you are already an Internal Security Assessor (ISA) or already have your PCIP?  The PCI Workshop is still for you. You can attend the PCIP education, and use it as a refresher (and get Continuing Education hours).  Or you can choose to attend the parallel, more advanced sessions.  We are having two tracks this year as you can see by the agenda (click here), so there is something for everyone.  I have been working with a number of Higher Ed professionals who have either or both their ISA and PCIP credentials, and they are looking forward to the PCI Workshop as much as anyone.

Bottom line: the Treasury Institute's PCI Workshop remains the premier event for Higher Education institutions to receive PCI DSS education.  I look forward to seeing many of you there.  Click Here to learn more, download the agenda, and register online.  

Wednesday, February 6, 2013

PCI SSC Cloud SIG Report Available February 7

The PCI Security Standards Council (PCI SSC) will release the PCI DSS Cloud Computing Guidelines Information Supplement on Thursday, February 7:
[The Cloud Computing Guidelines] zeroes in on the kinds of questions and considerations you should have in mind when picking a technology or service provider that will help you protect your card data in a cloud environment - and support PCI DSS.
The Guidelines are the result of the Cloud Computing Special Interest Group, and it is the third and final SIG report from the 2012 SIGs to be released.  You will be able to access the report at the PCI SSC's Documents Library when it is released.

BTW, if you are interested in participating in any of the 2013 SIGs, there is still time to learn more and sign up.  You can do that by clicking here to go to the SIG page on the PCI SSC's website.

Thursday, January 31, 2013

PCI SSC eCommerce SIG Report Released

The PCI Council's eCommerce Security Guidelines is released.  You can view the press release (click here) for all the details, and a link to the document is right here.

This report represents the combined efforts of many people in the PCI community, including Higher Ed institutions.

Wednesday, January 30, 2013

eCommerce SIG Report Out Jan 31

On Thursday, January 31, the PCI Council will release the eCommerce Special Interest Group's report:
Does your company accept payment cards over the Internet, or work with companies that do? Are you trying to select shopping cart software, or perhaps a web hosting provider, but want to be sure you're supporting your company's PCI efforts? Maybe you're not quite sure how PCI applies to this environment. The PCI DSS E-commerce Security Guidelines Information Supplement is developed by and for folks like you via an elected Special Interest Group.

A lot of people, including Higher Ed institutions, merchants, QSAs (including me), and others devoted a lot of time an energy into developing this report and the guidelines for best practices for eCommerce.

Be sure and check the Council's website (and here) for a link to the report.

Monday, January 21, 2013

PCI Workshop and PCIP Savings – Do The Math

The Treasury Institute’s PCI Workshop is a great opportunity for PCI education and networking with other institutions.  Because of the Institute’s focus on Higher Education and the participation of sponsoring organizations, the workshop is also a great value financially.  At $450, the price of the three-day PCI workshop is less than half what similar corporate workshops would be. 

At the risk of sounding like a TV commercial, I have to add: “But there’s more…”

This year the benefits are even greater thanks to the Institute’s partnership with the PCI Security Standards Council and NACUBO.  Workshop attendees will have the opportunity for PCI Security Standard Council's PCI Professional (PCIP) education at no additional cost, and by doing so attendees qualify for a significant discount on the test to receive their PCIP credential. 

The PCIP is a credential for industry professionals who demonstrate their expertise in and understanding of PCI standards. This credential is an individual qualification that does not require a sponsoring employer.  That is, it stays with the individual. 

Here are the details:
  • The PCIP credential requires an application fee and a test
  • Most applicants also take the PCIP eLearning, which workshop attendees may find they do not need after the PCIP education at the workshop. 

Here are the numbers:
  • There is a PCIP Application fee of $395 plus discounted exam fee of $225 (regularly $395) = $620.  For most people, I expect this is what they will spend.  Therefore, you save $170 on the exam, and you also save the $995 eLearning fee ($1,250 for non-Participating Organizations).   
  • Note: if you decide you still want the Council’s eLearning training, they have graciously agreed to let you apply your Treasury Institute/NACUBO $170 discount there, and spend a reduced total of $1,220 ($395 for the application, and $825 for the discounted eLearning, which includes the exam fee). 

How much will you save?  Well, if you attend the workshop and benefit from the PCIP education, you could save well over twice the cost of the workshop. To work out your own budget, be sure to see all the details at the Council’s website. 

There is no obligation to take the PCIP exam.  Attendees will, however, benefit greatly from this in-depth education.  Also, the Treasury Institute reminds everyone that attending the PCIP education is no guarantee you will pass the PCIP examination.  However, the PCIP education coupled with your diligent review of other PCI documentation on the PCI Council's website (which will be emphasized during the education) should prepare you well for the exam.  

If you already have the PCIP or even an Internal Security Assessor (ISA) credential, and/or you don't want to benefit from the education, the Institute's 10th PCI workshop is still for you.  As you will see by the agenda posted on the Institute’s website, there are parallel sessions where together with your peers we will delve into topics such as mobile commerce, point-to-point encryption, and scoping your PCI assessment.  Then after the PCIP education, we have the Higher Education PCI case studies separated into business and IT tracks.  It's all  detailed in the agenda.  

That means PCI Workshop benefits PCI newcomers and veterans alike.  And while the workshop will have two tracks this year, there will be plenty of time where we all will be together for important sessions, including our networking hours after both Monday and Tuesday. 

Monday, January 14, 2013

PCIP Credential Opportunity (and Discount!) at PCI Workshop

I am pleased to announce that the Treasury Institute, in coordination with the PCI Security Standards Council, is presenting a PCIP educational opportunity as part of the PCI Workshop.  This will provide attendees with an overview of the new PCI qualification and help in preparation for the PCIP exam.  To make this opportunity even more attractive, attendees qualify for a substantial discount on the testing fee.  

This means for your workshop registration fee, you get the bonus of the additional PCIP instruction plus a discount on the cost of attaining this credential. 

Here are the details.

The PCIP is a credential for industry professionals who demonstrate their expertise in and understanding of PCI standards. The PCI Council awards this qualification and serves as an impartial, third-party evaluator of each candidate’s knowledge of PCI standards. The Program is a direct result of feedback expressing interest in an individual qualification that does not require a sponsoring employer.
The PCI Council will provide this PCIP instruction as part of the Treasury Institute’s Workshop.  There is nothing extra to sign up for, and no additional cost for this bonus session.   At the end of the workshop, attendees will receive a code that gives them a significant discount on the PCIP testing fee.

This will be instructor-led education.  The PCI Council has agreed that any attendee who decides to take the full PCIP eLearning course afterward can use their code to receive the same discount on that, too.

To see the details of the PCIP credential, click here. 

There is no requirement to take the test for the PCIP credential if you don’t want to.  If you choose to take the test, your discount code will be good until May 30, giving you about three weeks after the workshop to apply to become a PCIP, and until June 30th to take the exam or the course + exam.  You should also understand that the PCIP education – while it is thorough – does not guarantee you will pass the test.

The PCIP education will be split over Monday afternoon and Tuesday morning.  We will have our Higher Ed PCI case studies with separate IT and Finance/Business tracks Tuesday afternoon.  This promises to be a very exciting agenda.  

I look forward to seeing you there.