Thursday, July 30, 2009

Why You Don’t Surf the Web on Payment Workstations

Some clients have asked me why I’m such a pain in the ___ (insert your favorite body part here) about letting them use their workstations to enter card transactions. I’ll give you the answer: it is so you remain safe. Here’s an example why…

I was reading in the recent article in Dark Reading about a new Trojan called Clampi that is specifically targeted at businesses like yours. It is designed specifically to identify and steal financial information. The Trojan is incredibly sophisticated, seeking out and collecting administrator credentials and financial account data. It has already been used to execute successful thefts by transferring funds.

Want to know how good this thing is? The criminals behind it are not selling it to other less sophisticated bad guys as is the usual case. No; this thing is so good they are keeping it just for themselves. I don’t know about you, but that part particularly scares me.

How do you protect yourself? Anti-virus programs won’t be much help. This Trojan hides itself pretty well, plus it detects which AV product you use and takes steps to avoid being found. An intrusion protection system (IPS) can help, but they’ll probably find a way around that pretty soon.

Is this beginning to sound like swine flu meets Friday 13th in a train wreck???

The best way to avoid it is to assume the worst: do not use any computer you use for financial transactions to surf the web. And yes, I mean that even if you use a white list. An expert quoted in the article said: "Using Windows, it's too dangerous to do transactions on the same machine you do for Web surfing. You can't have any crossover between them."

That’s why I tell my clients – and I’m telling you – do not permit web surfing or email on any machine you use for card transactions. Period. That includes cashiers, finance staff who process exception items, development fund raisers, hotel front desk clerks…anybody. Somebody reminded me this week of the old line: just because you’re paranoid, that doesn’t mean they really aren’t out to get you. In this case “they” are the bad guys – criminals. And they really, really are out to get you. Don’t make it easier for them.

Tuesday, July 28, 2009

Network Solutions Data Breach

If you use Network Solutions for your card processing, you should read this. It is possible that thousands of merchants and unknown numbers of cardholders will be affected. According to thecompany:

In the ordinary course of business, Network Solutions identified unauthorized code on servers supporting some of our E-Commerce merchants’ websites. We promptly removed this code, and all of our E-Commerce servers are functioning properly. No servers supporting were affected.

After conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data from approximately 573,928 cardholders for certain periods this spring

This breach is sure to re-ignite the "Compliant when Compromised" argument -- Network Solutions claims they were PCI compliant at the time of the breach (see here).

We all should recognize that at this time we don't know everything, but if you think you might be affected check out the Network Solutions statement.

Wednesday, July 22, 2009

Welcome to the New Site!

This is the new site for the Treasury Institute's PCI blog. Please update your bookmarks to point to this page. No changes to the management, just a new shop location. You can still search through all the past blog posts on the previous site. I've repeated some recent posts below.

Long Beach PCI Workshop in January

On Wednesday, January 27, the Treasury Institute will hold a 1-day PCI workshop in Long Beach, California. We have timed the PCI workshop to coincide with the Institute's Symposium 2010.

I will lead the workshop. I'm still developing the agenda, so your thoughts and input are welcome. The focus will be PCI implementation strategies and issues. I plan to offer some brief case studies based on my work with a number of schools to illustrate some common PCI pitfalls and how to avoid them. The session will be a great learning and networking opportunity, particularly for many western and west coast schools that could not travel to Indianapolis last May. The workshop is designed for anyone on campus who is actively involved in or responsible for PCI compliance.

You can learn more about the workshop and even register online by clicking here. I look forward to seeing many of you there!

Phishing Attack Foiled

(Originally published July 16,2009)
I have seen a lot of clever and some not-so-clever phishing scams. I just saw the following in the Chronicle's Wired Campus:

After business hours last Thursday night, an e-mail message popped into the in boxes of 800 people at North Carolina State University with the subject line “Mandatory Security Update: July 2009.” The e-mail message, which claimed to be from the IT Help Desk, said that in an effort to block spam, all e-mail users had to click a link to the university’s e-mail sign-in page and enter their user name and password.

It seemed perfectly normal — the image icons were the same, and links to the home page and directory all looked fine.

But it was all a hoax.

While this attack may not be the most original, the response by North Carolina State was outstanding. They stopped the attack before any real damage could be done. Then they realized something else. The phishers had such a good-looking site because they were copying the actual graphics from the school's own site. So, guess what? They changed the graphics to say "THIS IS A PHISHING SITE. Do not enter your password".

These guys at NC State are rock stars! For a complete rundown with copies of the NC State response, visit their site which also gives a complete blow-by-blow of their actions.

And you thought they were only good at basketball!

PCI Wireless Special Interest Group Reports

(Originally published July 16,2009)
For those of you who use wireless networks in your payment environment, the PCI Council's Wireless Special Interest Group has this afternoon released their Wireless Guidelines. If wireless networks figure in your payment environment, I suggest youdownload the report and give it a good read...all 33 pages of it.

I'm still digesting it, so maybe I'll have some comments later. Right now, it looks pretty comprehensive.

PCI and Your Third-Party Service Providers – Now Some Good News

(Originally published July 16,2009)
I wrote (ranted…?) last time about working with schools and their non-validated service providers. I focused on some disappointing if not downright misleading behavior by a few providers. Now, I’d like to share some more pleasant news: more and more service providers are getting validated.

In one case the school was using a non-validated service provider. That is, the service provider wasn’t on Visa’s list. When we contacted the provider, they knew exactly what we were asking about, and they sent a document describing their plan to become a Level 1 Service Provider, complete with timetable and identifying their QSA firm. They had made substantial progress and hoped to be validated within weeks. Clearly these folks had been thinking about this for a while.

In another case we spoke to the vendor who ended up giving us (!) a little lecture on the importance of PCI. Then he displayed a pretty thoughtful insight: from his point of view, he wanted to outsource the payment process, too. This vendor would maintain all their functionality (which the user loved) but outsource the payment part of it. They had already built links to a number of other payment vendors so the school could choose one to which they were already connected. If you recall my earlier blog post on SunGard, I really endorse this approach for both schools and service providers. Besides, when the service provider offers a solution like that, it can make the consultant look pretty smart, too. (I wonder if I remembered to thank him...)

There is good news on the payment application front, too. More Higher Education application providers are going through the PA-DSS validation process. In fact there are so many apps on that list currently that I recently had to download it to Excel so I could search through it. Others are working on providing a hosted solution which can go a very long way to helping a school become compliant. Again, my personal preference is to get the payment processing out of the school’s PCI scope and outsourced to a validated processor that does this for a living. I see this direction as (hopefully) a trend.

To summarize, there is good news on the third-party provider front. These days, I’m encountering more vendors who “get it” with PCI. They realize that PCI isn’t going away, and that their customers are not going to stay with a supplier who will not support a school’s own compliance efforts. It makes my life easier, too: nobody wants to tell a client to stop using an application they have been happy with for years.

My compliments to all you service providers who are validated and to those who are getting close. Good job! For the rest of you service providers…did I mention I can suggest a good PA-QSA firm…?(end of shameless promotion).

PCI and Your Third-Party Service Providers – First, the Bad News

(Originally published July 10,2009)
It’s happening again. I’ve now run into it a couple of times in the past few weeks. I’m working with a university to get them PCI compliant. Somebody on campus is using a third-party service provider that is not on Visa’s list of compliant service providers .

My usual procedure (and what I recommend to you) is to get the vendor on the phone and say something like; “I notice you are not on the list of PCI-compliant service providers; what are your plans to get on the list?” Then stop. Let them talk. Many times the vendor is well aware of the situation, and they will happily share their plans with you. But oh, those other times...

Twice recently I’ve had a vendor submit their scanning report. Like that’s supposed to make me feel warm and fuzzy that they’re compliant!?! That says they passed a scan by an ASV. Whoopee. When I see this, red flags go up. How about the rest of PCI compliance, like almost the entirety of PCI DSS? If they process more than 300,000 transactions a year – and you do not want to deal with any service provider who doesn’t – they are a Level 1 service provider and they need a QSA to sign-off on their Attestation of Compliance. Where is that Attestation of Compliance? Is it current?

My favorite is when the vendor replies that they are compliant as a Level 3 (or 2 or whatever) merchant. That response is completely irrelevant and inexcusably misleading. That they are compliant as a merchant is meaningless to you when you use them as a service provider. They can self-assess as a merchant – they cannot as a Level 1 service provider. That extra step is meant to protect you. If you get that kind of reply, you are likely dealing with an over-eager and/or ill-informed sales rep…ask to talk to an adult.

What about all your small vendors that serve a market niche? Do they need to be compliant? Yes, they do, and it will cause some of them to find another business. PCI effectively eliminates small vendors that can’t afford to become and stay compliant. While sad in for the vendor, it is better your school. You don’t want to entrust your brand and your financial data to an unsecure, vulnerable outside vendor.

But there is a lot of good news. That’s in the next post.

PCI Feedback Begins Today!

(Originally Published July 7,2009)
The PCI Council is soliciting feedback on the current version of PCI DSS. Per the Council:

The open feedback period regarding the PCI Data Security Standard (DSS) v 1.2 and Payment Application Data Security Standard (PA-DSS) v. 1.2 begins today! As part of the Council's transparent, standards management lifecycle process, you, our Participating Organizations - merchants, processors, financial institutions, associations, vendors, and other key stakeholders - have the opportunity to provide detailed and actionable feedback in an effort to revise future editions of the Council's standards to improve payment data security. This is part of phase two of the lifecycle process and the feedback period will be open from July 1 to November 1, 2009.

Thanks to NACUBO and the Treasury Institute, you have a voice through Tom Davis and me. We are asked to comment on no more than 5 items that are the most important. Tom and I each have ideas on what these might be, but we both would like to hear what you think.

Any and all comments welcome. Comment here directly or send me an email ( with your suggestions. Please limit yourself to your top few ideas/comments. Tom and I will pull things together and provide our (your!?!) feedback to the Council.

One of the great advantages of being part of a Participating Organization is that we get to help shape the Standards. This is your chance to make your voice heard.

MasterCard PCI Validation Requirements and You

(Originally published June 26,2009)
If you are a Level 2 merchant (or have one on campus) then the new MasterCard validation requirements affect you.

Rather than repeat what has already been said, written, or blogged about, I'll refer you to Branden Williams' blog. He has been following the issue closely and has some good insights.

I don't know how many of you are affected by this change, but if you are, feel free to contact me directly with any questions.

I Want Your Input To the PCI Council

(Originally published 6/26/09)
As all of you likely know, NACUBO (in partnership with the Treasury Institute) is a Participating Organization in the PCI Council. I along with Tom Davis at Indiana University are NACUBO's representatives, and therefore represent all of you in Higher Ed at the Council's Community Meetings and other forums. In that role, I received the following email from Bob Russo at the Council:

One of the most important aspects of my role as General Manager for the PCI Security Standards Council is communicating with you, our Participating Organizations, about our standards and how we can help you secure your customers' and clients' cardholder data. That said, we've recently created a survey to assist us in gaining your feedback because your input drives the direction of the standards.

Your answers will play a big part in helping us to enhance payment account data security around the globe. However, please note that the data you provide will only be analyzed in the aggregate; your individual responses will be kept confidential.

Thank you for taking the time to share your opinions with us! it's up to you. What would you like me to say? What constructive suggestions do you have? What changes to the PCI Standards would help you secure your students', parents', donors' and friends' information?

You can let me know by commenting or just send me an email: Please get your thoughts to me by July 2.