What to Expected for PCI in 2010

The PCI Council held its latest Open Mic session last week where Bob Russo briefed callers on new developments at the Council. These webinars are a great two-way communication between Participating Organizations and the Council. Bob and his colleagues from the payment brands also fielded a number of questions although they explicitly avoided any comment on possible changes to the PCI DSS expected this fall. Earlier, Bob had given press interviews where he said he did not expect any major changes to PCI DSS this year.

Those of you who follow me on StorefrontBacktalk.com know that I reported on a presentation at the Electronic Transaction Association meeting where some of the preliminary directions were presented. Nothing is yet finalized - indeed, as I also reported, the Technical Working Group was meeting at the same time as ETA and still discussing possible changes.

While there is nothing official, we can do a little informed speculation. As I reported, I expect there will be clarification of some requirements. I think we'll also see some very welcome papers on emerging technologies that promise to make PCI compliance easier.

All of this is welcome news and supports the Council's position that PCI DSS is a stable standard that still can respond to emerging threats and new technologies. On the webinar, Bob gave the impression that information will be coming out in stages over the summer.

As soon as information becomes public, you can count on seeing it here. And for those of you attending the Treasury Institute's PCI workshop next week, you will have the opportunity to hear from Bob directly on developments at the Council.

Your Copier and PII

I saw this report on copiers and how the images they store are retained. I suggest you give view it and do some hard thinking.

Copiers and many fax machines retain electronic copies of the images they process forever. Yes, forever. The images are stored on the machine, and when you trade in your machine, you trade in all those images, too, which go to the next owner.

These machines can be an issue not just for PCI, but also present HIPAA challenges and, indeed, all forms of PII (personally identifiable information) can be there from tax returns to official documents.

There are encryption modules, and it might be worth exploring these for copiers and fax machines used in areas where you process payments. They cost extra, but they could be worth it. Come to think of it, I hope every law firm, hospital, and payment back office has such encryption. Yeah, and I probably believe in the tooth fairy, too, and that the Giants will win the pennant and that I'm going to run a 2-hour marathon.

What is the risk? The machines are not easy to take apart, and you need some expertise to get the information off the storage device. But the bad guys have already figured out how to break into everything from banks to card processors, so it isn't too great a leap to believe they can dig through your copier, too. That is especially the case if the copier is from a payment operation.

On the good side, maybe a little FUD will keep your staff from using the office copier for their tax returns...think of the paper and toner savings!

OWASP Top 10 for 2010 Released

The Open Web Application Security Project (OWASP) has updated its Top 10 web application vulnerabilities. Click here to access the OWASP site and download the document. From the website:

The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Versions of the 2007 were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2010 version are underway and they will be posted as they become available.

We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

PCI requires that if you develop custom code for payment applications, the code must be assessed against the vulnerabilities in this list. So if you have developers, make sure they get the word about this update.

Cybersecurity and Risk Assessment

You have yet another opportunity (obligation? curse?) to inform and educate your senior management about how important is the work you are doing to protect your institution from a damaging data breach.

The American National Standards Institute (ANSI) last week released its report " The Financial Management of Cyber Risk - An Implementation Framework for CFOs." I recommend you download it by clicking here (you will need to register, but it's free thanks to the good people at ANSI).

Then give it a good read. It makes the case that:

In reality, cybersecurity is an enterprise-wide risk management issue that needs to be addressed from a strategic, cross- departmental, and economic perspective. The chief financial officer (CFO), as opposed to the chief information officer (CIO) or the chief security officer (CSO), is the most logical person to lead this effort.

The report assigns dollar figures to breaches (nothing really new here, but more credibility). And speaking of credibility, a blog post from SANS Storm Centyer stated that:

The report is endorsed by Melissa Hathaway, former Acting Senior Director for Cyberspace for the National Security Council. The CFO guide is a direct response to the Cyberspace Policy Review released last May. That report stated, "Between 2008 and 2009, American business losses due to cyberattacks grew to more than $1 trillion in intellectual property." Copies of the documents from the Fed review can be found on the White House website. (http://www.whitehouse.gov/cyberreview/documents)

I found several chapters interesting, particularly Chapter 2 on educating users. Also there are some great appendices including one on insurance (really!) offered by various companies.

It all goes back to the theme that risk is a multidisciplinary issue that should be addressed in a multidisciplinary fashion.

On the Web, Every Day is April Fool's Day

It isn't just the Google, er, I mean Topeka site. Every day on the Web is April Fools Day. See this article from the New York Times and see if maybe you should include some of this in your end user training.

And no, that's not an April Fool's joke.