Tuesday, March 30, 2010

Visa's Keylogger Alert

Visa recently issued a security bulletin alerting merchants to an increase in keylogging attacks. you can download a pdf of the bulletin here.

Your users can download keyloggers from an infected email (usually an attachment or a link to a malicious website), a USB drive or CD someone sent you (or you borrowed...bad boy/girl!), or even directly installed by an insider with access to the victim's computer.

Visa states that:
The particular key logger malware identified by Visa is equipped to send payment card data to a fixed e-mail or IP address accessible to the hacker. In these instances, the hacker is able to install key logger malware on the point of sale (POS) system due to insecure remote access and poor network configuration. Based on Visa’s review of the malware, it uses File Transfer Protocol (FTP) and Simple Mail Transfer Protocol (SMTP) on default ports (20, 21 and 25 respectively) to send data out of the network.
The bulletin goes on to suggest a number of mitigation strategies.

BTW, for those of you who think you are immune or that no one would want your banking credentials, you obviously haven't read my previous warning. If that's not enough, you can check out Krebs on Security's latest example of bad things happening to good people.

Download the bulletin and think about your user training. The web is a dangerous place.

Monday, March 29, 2010

Credit Card Pricing: Do You Check Your Statements?

While I mostly deal with PCI and PCI-related issues, the topic of acquirer pricing does come up occasionally. Today I saw an article about payment card pricing that I think is worth your consideration.

The topic is whether you are better off with 'interchange plus' (quick answer: yes you are) pricing as opposed to 'tiered pricing.' Some acquirers are better than others at passing along to you the best pricing. Indeed, there is a mini-industry that has sprouted up to examine your monthly merchant statement(s) and see if you have had inappropriately downgraded (i.e., more expensive) transactions.

As you consider processors, make sure you tell them you want interchange plus pricing. Also work with them to make sure you don't have a lot of transaction downgrades. I have often started a PCI project by performing a payments analysis, that is, looking at transactions by brand and by interchange type. This helps me understand all the different payment channels in use as well as providing a good overview of the school's card business. I frequently see lots of MOTO and other card-not-present transactions at higher interchange rates than I would expect.

Take a look. Then look at your monthly merchant statement and make sure you are getting all that you are paying for...and not paying too high a price.

Thursday, March 18, 2010

Hotels and Data Breaches

As I've noted before (see here and here), if your school has a hotel - whether you run and operate it or your outsource it - that hotel can cause PCI compliance challenges. This article in WSJ Online confirms that hotels are particularly vulnerable to data breaches.

As you map out your compliance strategy and approaches, keep it in mind.

Friday, March 12, 2010

The PCI Council Speaks

Fellow blogger and good friend Anton Chuvakin (aka, Security Warrior) managed to score an exclusive interview with Bob Russo and Troy Leach of the PCI Council while at the RSA Conference. (I think I'm hurt...Bob only talked informally to me.) Click here to read it.

In the interview Bob (General Manager, PCI Security Standards Council) and Troy (Chief Technology Officer) make a number of good points about the need for merchants to be educated about what PCI is and how it can protect them. They also rightfully emphasize that security of your systems and data is paramount.

I found a couple of things particularly interesting. First, they seemed to dismiss my forecast that the revised PCI standard will require automated data discovery tools. Darn; missed that one. Another suggestion that I and others have pondered is the development of tiered compliance requirements, maybe one for small merchants and another for larger ones; or maybe one for merchants and one for processors. Bob and Troy knock that one down, sadly, but with good justification. I still think the idea has merit and ought to be explored.

Here's your bonus. Both Anton and Bob will be keynote speakers at the Treasury Institute's PCI Workshop in May. Maybe this time you can be the one to score an exclusive interview with one or both of them! Registration is open (shameless plug...).

Tuesday, March 9, 2010

Your Policies, Follow-up

There is a great post at Security Catalyst on why you need a privacy policy. It covers a lot of territory and compliments my previous posts (part 1, part 2, and part 3).

Here's the rationale/reasoning...

So to summarize, here are the 7 reasons you need a privacy policy:

  1. If you have customers or employees, you need to safeguard personal information.
  2. Laws do not usually establish Privacy Practices. Privacy Policies create Privacy Practices.
  3. Privacy Policies are often required by law or regulation.
  4. Your business faces privacy challenges which nobody else faces.
  5. Cloud Computing, Social Media, Goods and Services, Employer, and other activities pose unique challenges to handling personal information.
  6. You must comply with specific regulations if you have customers or employees in specific states or the EU, or if your servers (or the servers of a subcontractor) reside in the EU.
  7. Your company has affirmative privacy obligations with respect to minors under 13 years old.
Perhaps my favorite part is describing policies not as a "necessary evil," but just "necessary." Have a read, then take a look at how your institution is handling access to social media, iPhones, and all other forms of information including (ahem...) payments.