Time to be Careful

Today's required reading is an opinion piece in the New York Times "Time to be Afraid of theWeb" The article assesses the current state of Internet security and concludes that you don't have to visit risky sites or really do much of anything out of the ordinary to be at risk. The author concludes:

But with more and more information about people’s credit cards, browsing histories and identities sloshing around online, I wonder whether this will do. A few months ago, I nervously created my first Facebook page with the minimum necessary information to view pictures posted by old friends.

I returned to the page a few days later to discover that somehow it had found out both the name of my college and my graduation class, displaying them under my name. I have not returned since. In the back of my mind, I fear a 28-year-old hacker and a couple of Russians have gathered two more facts about me that I would rather they didn’t have. And it’s way too late to take my life offline.

This opinion piece is a good companion to the excellent article on the Conficker virus in yesterday's Times. For even more background, look to the upper right of this blog and click on the "search the archive" link. Put in "dangerous" or something like that and you can find earlier advice, observations, and maybe a few examples.

Why am I writing this in a PCI blog? Because this is what your students, faculty, and staff are doing. This is where they are surfing on your school's systems. This is where they are collecting malware (like I seem to collect parking lot dings on my car...). And this is why you don't want cardholder data anywhere on your systems. If the data aren't there, they can't be compromised and you can't be in the headlines for reasons you'd prefer not to be.

So... be careful! Spread the word.

Keeping Informed on PCI Just Got Easier

It can be really tough staying on top of developments in PCI DSS, card brand rules, risks, threats, and everything else we are supposed to know about but don't have the time to follow. I have a couple of suggestions.

First, of course, you might want to follow regularly this blog (what did you expect me to say!?!). Also, I've put links to some really great resources on the right hand side. These are blogs I follow, and sometimes refer to them. Now I've got two more for you.

I just found out (thanks, Branden) that Visa has an RSS feed. This one gets my vote for one of the neatest developments in a while. You can sign up for any number of notifications (I picked "Select All", but this is sort of my business, after all...). It is a great way to keep on top of Visa's alerts and bulletins.

I can't wait until I get to tell you about MasterCard or Amex doing the same thing...hint, hint...

The PCI Council also has an RSS feed. Subscribe to it and you can get all the news and announcements. There may be more than you want here, but you may want to check it out.

Keeping informed just got a little easier.

Choosing a QSA...How Do YOU Do It?

Nearly all schools validate their PCI compliance using a Self-Assessment Questionnaire (SAQ). Nevertheless, many schools also hire a QSA to help them in the process, either with training, conducting a PCI gap analysis, designing a compensating control, or just helping the internal team through the process. All of which raises the question: how do you select a QSA?

Do you pick the biggest, the cheapest, the easiest grader, the one who worked with another school you know? For an interesting insight, take a look at good friend Dave Taylor's post at StorefrontBacktalk. Dave takes you through the ups and downs all in a couple of pages.

Full disclosure: I work for a QSA firm. But what I would like to hear is how did YOU chose your QSA? What factors did you consider? What was important to you and your institution? Leave a comment. It won't take long, and we all might benefit from sharing the information.

A Discussion You Might Want to Follow

What can PCI DSS do, and what can it not? What role may it have played or should it have played in the recent breaches?

There is a discussion going on at StorefrontBacktalk that you may want to read...and be sure to read the comments. It deals with the recent breaches and the questions above. Another great take on the indictments and security is at Mike Dahn's blog (which also has a number of links).

Serial Credit Card Thief Indicted

The Justice Department claimed today's indictment of three individuals represent the biggest case of credit card theft ever prosecuted. The one American and two unnamed Russians are charged with stealing over 130 million credit card numbers from all the organizations you've been reading about: Hannaford, 7-Eleven, Heartland Payment Systems, and a couple of others.

In some cases they sold the numbers; other times they used them to buy goods. To me, the big story was the reputed mastermind behind these and other thefts. This guy is already under other indictments for the TJX breach, among others.

Here's the reason I'm bringing this to your attention: these guys targeted their attacks. They actually identified who would be likely to have lots of payment cards, then they systematically went after them.

If this doesn't make you worry, it should.

If this doesn't make you re-think storing PANs electronically, it should.

And...
If this doesn't make you maybe a little more scared of the bad guys and a little less scared of your QSA, it definitely should.

UPDATED: Heartland CEO blames QSAs

I'm not sure I agree with everything that is said, but I recommend you read the article in ComputerWorld (also in CSO) where Heartland Payment Systems CEO Robert Carr talks about their massive data breach.

One good point he does make (which means I agree with him...) is when he says "If a smart person's job is to define a set of rules to keep merchants from being breached and they have to start somewhere, what they come up with is going to look something like PCI. There has to be a lowest-common-denominator set of rules. PCI could be improved, but the standard is fine."

Read the article, and blame who you want to blame or nobody. But keep in mind a few things. This was a processor. They have to retain cardholder data. You are a merchant. You rarely if ever need to retain the data. So go back and ask yourself if keeping cardholder data is really worth the risk and lost sleep.

UPDATE: For a response to Mr. Carr's comments, you have to see this post by Rich Mogull at Securosis. I could not say it better.

MasterCard New PCI Requirements Clarified

MasterCard has posted a 4-page FAQ on its website describing the recent changes to its Site Data Protection (SDP) program. I've blogged about this previously, but now we have some details (with thanks to Branden Williams again).

Here is my take on what it means to you. I'll focus on Level 2 merchants since that is where the changes are.

• If you are a Level 2 merchant, you now need to hire a QSA to conduct and complete an onsite data security assessment by December 31, 2010, and repeat it annually. Forget the idea of using you internal auditors - that option no longer exists. It appears MasterCard has figured out ("I'm shocked, SHOCKED...") that maybe some merchants were a little too liberal with checking the "in place" column in their SAQs.
  
  
• Interestingly, if a L2 merchant outsources their processing to a validated processor, and the merchant would have previously qualified to validate their own compliance with SAQ A, then according to the FAQ they can continue to do so. The rationale is that since the processor has an onsite data security assessment, that covers the requirement. That one sounds like it might be a little inconsistent to me, but I'll leave it to the folks at MasterCard and the acquirers to work it out.
  
  
• There is an interesting point in the FAQ about "newly acquired merchants." MasterCard seems to be taking a page from Visa's playbook and requiring that acquirers only "board merchants that are PCI compliant." So much for shopping around and changing acquirers to avoid compliance...
  

There's more in the FAQ, but the message is clear. If you are a Level 2 merchant, it's time to start looking for a QSA, which you can do by following this link to the PCI Council's website.

BTW, the FAQ says all this information went out to MasterCard acquirers on June 15. Hmmm...let's see...it's now August and people are just finding out about this. But of course, all of you heard about this in June from your acquirer, right...?

PCI DSS v1.2.1

Most of you know that NACUBO in partnership with the Treasury Institute is a participating organization in the PCI Council. One of the benefits to you is that we (meaning "you") get the latest news from the Council directly. One such example is the email I got today from the Council on version 1.2.1 of the PCI DSS.

I mention this only so that if you go to the Council's website and download some of the publications, you will see this new version number. Don't get too excited or concerned: there are no changes to the standard as detailed in the FAQ I received:

The move from version 1.2 to version 1.2.1 of the PCI Security Standards Council’s Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) signifies minor corrections designed to create more clarity and consistency among the standards and supporting documents. The changes are minor, for example; correcting spelling, eliminating redundant lines and updating language to synch with supporting documents. [emphasis added] There are no additions to the requirements or to the intention of the standards. This change, and the creation of DSS, PA-DSS, and the PA-DSS Program Guide 1.2.1 is administrative in nature.

Each document has been updated with a table of changes on the front page illustrating precisely where the administrative updates have been made within the document.

Additional information in the Council's FAQ includes:

Should I revisit my compliance plans or implementation timelines?
As there are no changes to the intention or requirements of the DSS, your compliance programs will be unaffected by the change from DSS 1.2 to DSS 1.2.1

Do I need to do anything differently?
You should continue to work with your assessor on your current compliance program. There are no changes from v1.2 to DSS 1.2.1.

Does this change your plans to roll out the next version of the PCI DSS?
This will not affect the planned, public lifecycle of the DSS. We are currently in the feedback period of the lifecycle and encourage organizations to share feedback with us through the online feedback form, FAQ tool and direct email contact. The first feedback period runs until November 1st and incorporates both the US and European Community Meetings.

So...if you download any documents from the Council, don't be put off by the new version number.

Welcome Back, Mike!

Mike Dahn has a new blog, and I suggest you might want to follow it. Mike brings an unique blend of experience (former QSA trainer) and expertise to his PCI DSS rants...er, I mean posts. Today's post is no exception...and I agree with every word of it.

Welcome back to the blogosphere, Mike.

MasterCard Goes Public with Noncompliance Fines

Here is something I've been following for the past week or so, and I want to make sure you know about. According to Branden Williams' blog, MasterCard has instituted a schedule of fines for Level 1-3 merchants who are not compliant. The fines are quarterly, they escalate, and they continue until you validate compliance:

-- Levels 1 & 2: $25K first quarter; $50K second quarter; $100K third quarter; $200K fourth quarter.

-- Level 3: $10K first quarter; $20K second quarter; $40K third quarter; $80K fourth quarter.

Add it up. If you are a L3 merchant and it takes you a year to get compliant, you might need to add about $80K to your budget for the fines.

There is more here and here.

Most of you may remember Visa'a Compliance Acceleration Program which was a set of financial incentives and penalties to get L1-3 merchants compliant. Now MasterCard has joined the act in a big way.

I can't find anything at MasterCard's SDP site. I understand that the details went out in a letter to acquirers. So I recommend that you follow-up with your acquirer and see if this new policy affects your school.

Meanwhile I'll be monitoring developments and pass along what I learn.

Chip Cards for the US? Maybe Not Soon

I saw an interesting post at Glenbrook's Payments News blog that might interest some of you. As most of you know, almost all payment cards (Visa, MasterCard, etc) issued in Europe have an imbedded computer chip. The chip -- hence the term, chip card -- is read at the time of transaction, the cardholder types their PIN (not "PIN number"...) into the terminal, and if all goes well the transaction is approved. American card don't have these chips, but no big deal: the card terminals also have a mag stripe reader so you can buy that nice dinner in Paris or go to the opera in Berlin.

The interesting news is that The European Payments Council is apparently considering a ban on mag stripe cards. Personally, I don't think this will happen anytime soon, or at least I hope not.

The creditcards.com article is a good overview of the situation. If you are interested in chip cards or travel to Europe, you might find it interesting.

So, when do I think the US will go to chip cards like most of the rest of the world? Don't hold your breath for all the reasons spelled out in the article.