Wednesday, December 21, 2011

Happy Holidays, and Thank You

This is a good time to say "thank you," and wish a Happy Holiday and peaceful new year to everyone (both of you) who follows this blog. This has been an interesting year in PCI (we got version 2 rolling) and, unfortunately, information security (for a slide show of the biggest security breaches of the year, click here).

It has also been a great year for the Treasury Institute. We had the biggest PCI Workshop ever in May, and I personally look forward to trying to top that program in 2012 with more great presentations, speakers, and opportunities to network with other schools. I didn't get to attend the annual Treasury Institute Symposium this year, and I won't make this year either (I've already booked for some onsite work), but you should check it out. Charleston should be beautiful.

Personally, it has been the busiest of years. I found myself flying about 100,000 miles (not points, actual miles) this year. That meant I was on the road a lot, and I'm still trying to figure out if my wife thinks this is a good or a bad idea... Somehow, I managed to survive the middle seats, delayed flights, standby anxiety, and TSA security theater. I think next year I'll just buy more caramel corn at the airport to smooth out the travels.

In addition to traveling, I managed to blog more than I ever imagined with posts here, my (almost) weekly column at StorefrontBacktalk.com, and at 403 Labs' own blog. Throw in a week at RSA and really interesting speaking gigs with EDUCAUSE, SACUBO, and a few others, and it was a pretty interesting year.

Thanks to all of you who are clients, thanks to all of you who are not, and thanks to the Treasury Institute for all they do.

See you all in 2012.

Friday, December 16, 2011

The Bad Guys are not Nice Guys

According to the excellent Krebs on Security website, the Manhattan police have released indictments on 55 people who were part of the gang responsible for a string of identity thefts in New York. The details are disturbing for a couple of reasons.

First, a number of them were associated with financial institutions or a charity. That is where they seem to have gotten some of their information. The ring also included everything from money mules to a UPS driver who is accused of diverting cards.

Another disturbing part is that the people were affiliated with criminal gangs, and two of the people under suspicion turned up murdered during the course of the investigation.

As I and others have said before, the people trying to steal payment card data are sophisticated criminal enterprises. They are not all overseas. Protecting the cardholder data and other personal data entrusted to you is important. Those of you securing your systems and protecting the relationships with your students, parents, alumni/ae, and donors are doing good work. Keep it up!

The bad guys (and they definitely are "bad") are not taking the Holiday off. I heard from one school that they are getting people attempting to donate with a credit card that turns out to be stolen. What is happening is that the "donor" is using the school to check out if a card has been reported lost or stolen yet. If the "gift" goes through, my guess is the next step is to the nearest electronics store or online retailer. Naturally, the donation is charged-back by the rightful card owner, but by then it's too late. The school loses the gift and gets to pay transaction costs on the way.

Monday, December 12, 2011

PCI Council's Open Mic Meeting

The PCI Council held an "Open Mic" session today for Participating Organizations this morning. Here are some of the highlights.

  • A major focus was soliciting feedback on the both PCI DSS and PA-DSS. Each PO (and this includes NACUBO, so get us your feedback!) can make up to five comments or requests for clarification/change to the standards. The deadline to submit feedback is April 1. Tom Davis and I will be tracking ideas, and we will provide feedback in time.
  • There was review of the three Special Interest Groups (SIGs) for 2012: Risk Analysis, Cloud Computing, and eCommerce for Level 3 and 4 merchants. Since the eCommerce SIG has the greatest potential benefit for Higher Ed institutions, I joined that SIG. I am looking forward to participating actively and developing some good guidance that will benefit institutions of all sizes. If your school is a PO, it's never too late to join a SIG...I'd welcome the company!
  • Training continues to be a Council priority. There will be two webinars addressing training sessions and schedules early in the new year (January 26 and 31).
  • We can expect to see some more guidance on mobile computing in 2012.
  • We might also see some additional guidance on tokenization. I got the feeling the Council felt that the current documentation was enough, but they would do more based on what they see early in the new year.
  • Lastly, Bob Russo (General Manager of the Council) acknowledged the increased interest in skimming at the POS (see a previous post, here). Bob's advice was that the best defense against skimming is vigilance by front line staff spotting changes or differences. He also pointed out that the Council has an excellent document addressing skimming (click here to download a copy). He noted that it was among the most frequently downloaded documents on the site (and deservedly so, IMO!).
There is a second session scheduled for Wednesday, and the recording of each session should on the Council's website soon. I believe they will be generally available if you want to listen.

Wednesday, December 7, 2011

Top 25 Security Influencers

This morning I saw an interesting list of the Top 25 Influencers in Security You Should be Following put out by Tripwire. It is not a complete list, but it has some really good names there. I follow a number of them, and I actually know a few of them well enough that we talk, email, and occasionally even meet up face-to-face.

I suggest you check your list of blogs or your Google Reader (or whatever reader you might use) and see if you want to add some of the blogs from these people. My own personal list of security blogs, of course, is on the right...you can see it, just over there under the Walt's Recommended Blogs list. Your list will vary depending on your own interests, but as you do your end-of-year cleanup, you might want to update your list with some of these from Tripwire.

Tuesday, December 6, 2011

PCI Council Open Mic Sessions

The PCI Council will hold two Open Mic sessions, December 12 and 14th. If your institution is a Participating Organization, you should have received an email invitation with instructions on how to register for a session. Since the Council's email contained a registration code, I assume the sessions are restricted to POs only.

Since NACUBO (in conjunction with the Treasury Institute) is a PO, I plan to attend the December 12th session. I'll report on particularly interesting comments or outcomes here as appropriate.

Friday, December 2, 2011

ACH email Scams May Be a Teachable Moment

Have you received any of those "Your ACH has failed" or "NACHA Transaction Alert" emails in the past few weeks. I have, and I deleted them immediately. I did that because they are spam.

If you received these emails, then you noticed they were very brief. They also contained a link or downloadable file, which I really, really hope you didn't click.

The good news is that these emails are a teachable moment. My colleague, Morgan Tremper (he runs our scanning support group and is a general security whiz) wrote a good piece at the 403 Labs blog (you can click here to read it). He says it better than I, so I won't repeat his thoughtful analysis.

My point is that in this season of endless appeals for our generosity, it may be a good time to alert all your staff that it is no time to go clicking on ANYTHING in an email they were not expecting.

Call me a Grinch if you like, but I'd rather be a safe Grinch than Pwned. That is not a very good holiday gift, either.

Protect Your POS Devices, NOW

Just because you are a Higher Ed institution does not mean the bad guys have not targeted you. Unfortunately, the University of California Riverside just found that out. In a news release the school advises that campus cash registers at food service locations were compromised, and that up to 5,000 individual card numbers may have been compromised. These cards didn't just belong to students, but may have included parents and visitors, too.

I don't have any specific information on this breach other than what is in the release. What they do say, though, is disturbing: "The hacker had unauthorized access to card numbers, cardholder names, card expiration dates and an encrypted version of debit card pin numbers [sic]."

Attacks -- both physical attacks on POS like skimming (as I wrote about here) and "cyberattacks" on Web-facing systems -- increasingly target smaller businesses like higher education. Why? The reason seems to be because smaller businesses have poor security or none at all.

You do not want to have to go to your president to ask for budget (to set up a website, field calls, write a FAQ, etc.) and approve a press release telling your students, parents, alums, and friends to "monitor card activity carefully, and report any suspicious activity."

Protecting the POS should be part of your annual security training. The bad guys are out there. They target higher ed institutions. And if you are compromised, please know you cannot expect any special treatment from the card brands as far as fines or other penalties. You are a merchant, and you lost the data. Game over.


Monday, November 21, 2011

SIGs for 2012

The votes are in, and the three Special Interest Groups for 2012 are:

  • Cloud
  • eCommerce Security
  • Risk Assessment.

The selection of eCommerce Security is very good news for all Higher Ed institutions (see previous post here). I ranked the eCommerce SIG as the top priority for Higher Ed, so it is good to see it on the list. Now we should get some detailed guidance on how best to implement hosted order pages, shopping carts, and dedicated payment workstations.

Tuesday, November 1, 2011

PCI 2.0 Comment Period Now Open


Hard as it may be to believe, PCI 2.0 is no longer all that "new." In fact, starting today, November 1, the official comment period is now open. That means I want to hear from you on your experiences with PCI 2.0.

Both PCI DSS and PA-DSS have a three-year lifecycle. It has now been one year since both standards were aligned and version 2.0 became effective at the start of 2011. That means we are entering the comment phase where your experiences are important. Keep in mind that while the version has a three-year lifecycle, there are provisions for regular updates to reflect the experience of merchants, service provider, and vendors.

NACUBO, in partnership with the Treasury Institute, is a Participating Organization (PO) in the PCI Council. Tom Davis of Indiana University and I represent NACUBO - and by inference you - at Council meetings and deliberations. Therefore we want to hear what your experiences have been with PCI 2.0 so we can assemble our comments and get them to the Council.

There are a couple of things to understand. First, NACUBO gets to make five comments. That is, we can request clarification or changes or whatever to five PCI requirements. Tom is working the EDUCAUSE angle, and I am asking for comments through the Institute's blog. Maybe somebody can even post something on the PCI listserve? (hint, hint.)

I would like to ask you to organize your thoughts, experiences, and feedback on PCI 2.0. You can send comments directly either to me (wconway@403labs.com) or Tom (tdavis@iu.edu). If your school is already a Participating Organization, then be sure to get your whole PCI team together and have your voice heard. After all, that is one of the reasons you are paying to be involved in the Council.

Both of us, along with NACUBO and the Treasury Institute, look forward to receiving your comments.

Straight Talk on Tokenization

Are you looking at tokenization as a way to reduce your PCI scope? My guess is that you or at least some of your campus merchants are, and therefore you will want to be as up-to-date as you can especially with the recent PCI Council guidance on tokenization and PCI scoping.

Many campus merchants are considering various tokenization strategies (or at least their software and service providers are pitching tokenization to them). As I've written before (see here, and here), tokenization has a lot of benefits. It also has some things you need to be careful of, and definitely some things you need to know before you go signing any contracts with token providers.

On Thursday, November 3 I will be participating in a tokenization webinar entitled: Straight Talk on the New PCI Tokenization Guidelines -- A QSA's Viewpoint. The webinar is sponsored by Intel (which also sponsored some of my tokenization research and the Tokenization Buyer's Guide). I will discuss tokenization in general, some of the different approaches, and which implementation might be best for which types of merchants.

If you are interested, you can register using this link. Yes, there will be a description of (i.e., pitch for) Intel's product offering at the end, but the majority (my part) is vendor agnostic and explores both third-party hosted and internal solutions.

If you are considering tokenization, you may want to have a listen. If you can't make the live webinar, I'm guessing they will have a recording available.

Friday, October 28, 2011

PCI Council Webinar to Address Point-to-Point Encryption Security

The PCI Security Standards Council has announced will provide a detailed overview to the recent updates to the PIN Transaction Security (PTS) program on November 8. A second, repeat webinar will be November 10.

Schools interested in P2PE may want to consider attending to get the latest information on the latest release of the PCI PTS requirements. Many institutions and their auxiliaries are very interested in this exciting technology that can reduce your PCI scope greatly. There are still some details like testing the POS devices to make sure they work as advertised, and this webinar should address some of those security questions.

Here are the details. You can also check out the PCI Council’s Website link:

PIN Transaction Security Program Updates: PTS 3.1 and PCI PIN Security Requirements 1.0

Tuesday, November 8, 2011 at noon PT/3:00 pm ET/8:00 pm GMT



Thursday, November 10, 2011 at 8:00 am PT/11:00 am ET/4:00 pm GMT


Please join members of the PCI Standards team for a detailed overview of the newest updates to the PIN Transaction Security (PTS) program, followed by a live Q&A session. The presentation will cover key changes to PTS requirements including:


Updates to PTS Point of Interaction (POI) Requirements 3.1 that include two new approval classes for Secure Card Readers and Non-PIN Entry Devices


Extension of Secure Reading and Exchange of Data (SRED) and Open Protocol (OP) modules to version 2 devices


Explanation of how these changes can facilitate the secure deployment of point-to-point encryption (P2PE) technology and mobile payments


Overview of PCI PIN Security Requirements 1.0 and the use of this criteria for the protection of PIN data enhancements to HSM Security Requirements
I have written about P2PE before on this blog (click here to read it). Those of you new to this may want to have a read before the webinar.

Tuesday, October 25, 2011

Voting for PCI Special Interest Groups is Open

I know a number of your institutions are Participating Organizations (POs) in the PCI Council. If you are, it is time you get your PCI team -- including business and IT groups -- together to decide how to cast your vote for the Special Interest Groups (SIGs) for 2012.

The Council received 31 nominations for SIGs, and they narrowed it down to seven. Based on how POs vote, three will be selected for 2012. The seven are (in no particular order):

  • Managing administrative access to systems and devices
  • Preparing a risk assessment
  • Patch management
  • eCommerce security
  • Cloud technology
  • PCI for small businesses
  • Managing hosted service providers.

Looking at the seven, four are more technical in nature and three are business focused. That is why I suggest you want to get your whole team together so you gather ideas from all over the institution.

As most of you know, I (along with Tom Davis of Indiana University) represent NACUBO which is a PO. We finished our analysis and have recommended NACUBO's vote (which I'm casting later today) to reflect the mix of needs of Higher Ed institutions of all sizes. You now need to do the same for your institution. Voting opened Monday (Oct 24) and closes November 3, so don't wait!

Schools that are POs were sent an email last week with a link to the Council's PO portal. The portal has videos of the brief presentations from the Community Meeting where they previewed each nominated SIG. I recommend you view the videos, discuss your priorities, and cast your vote.

Not many standards or regulatory organizations let their 'constituents' decide where to do research and provide guidance. The PCI Council does, so I hope all schools who are POs will be sure and vote.


Wednesday, September 21, 2011

Self-Assess Like a QSA?

Just about everyone reading this self-assesses their institution's PCI compliance using one or a set of Self-Assessment Questionnaires (SAQs). This is the PCI Council's -- and the card brands' -- own version of the honor system.

But the very largest Level 1 merchants don't get to use the honor system. Instead they must get an outside assessment, either by a Qualified Security Assessor (QSA, like me) or a member of their own staff who attended training and qualified as an Internal Security Assessor (ISA).

The QSA prepares a Report on Compliance (ROC, pronounced "rock"). This covers all of PCI. Moreover, the QSA needs to see multiple pieces of evidence before she/he can mark a requirement as "in place." The Council has released its updated guidance on just what the QSA does. It could make informative reading. It is now available for everyone to see.

Click here to download a copy of the ROC Reporting Instructions, then see how your own internal self-assessment measures up.

Staying in Touch With Developments

I'm getting ready to head off on vacation for a few weeks, and it has me thinking about staying in touch. I mention this because I probably won't be making many blog posts for a bit, and at the same time there is a lot happening in the PCI world that you want to make sure you stay current.

One way is to set up your Google (or Safari or whatever) reader and load up the RSS feeds for your favorite blogs. That is what I do, and it's great for filtering what you need to see. A great way to start is with the blogroll on the right. These are some of the blogs I follow (or participate in), and I'd add them to whatever list you put together.

Of particular interest might be the StorefrontBacktalk link. While they have gone to a premium pricing model (hey...everybody's got to eat!), I am pleased to announce that my PCI columns shortly will all be "free." There is a lot of other great retail content there, too, so if you have auxiliaries or other retail-like operations on campus, I'd point your RSS feed there.

With so much happening on point-to-point encryption (with the painful acronym P2PE), tokenization, and the reality of PCI 2.0, you should take a few minutes to skim the highlights so you can stay up to date with what's happening.

Over the next few weeks, I'll be relying on my iPad and assorted English, Belgian, and French hotel WiFi links to stay connected. Yes, I'll still be on vacation, but I'll also be staying in touch. You may want to do the same.

Friday, September 2, 2011

Certificate Attacks on Google

Like many of you involved in security, I have been following the recent news about the recent compromise of a Dutch certificate authority (presumably by the government of Iran, but not proven). There was a brief piece earlier in the New York Times (click here). You also can find a great explanation and exposition of exactly what happened and what it means in this blog post.

Yes, the Internet is a very scary place.

UPDATE:
Here are some additional articles that shed some more light on the risks and what you need to know:
  • If you read nothing else, please read this post (click here) from my colleague, Morgan Tremper. As he says, "Far and away, the most essential method for staying ahead of threats to your security is fixing the problems that the industry already knows about." A very clever man is our Morgan. What Morgan points out is that there is something you can do to protect yourself, but you (and all your users) have to *do* it!

  • "The disturbingly complete compromise of DigiNotar, the Dutch certificate authority, has broad ramifications for other CAs, enterprises and consumers who rely on the shaky web of trust that comprises the CA system. Here's what you should know about the attack and what you can do to protect yourself against intrusions resulting from it." (Click here to read more) .

  • "The details of the attack on DigiNotar that began to leak out on Monday have gotten uglier by the day as more and more researchers have looked into the compromise and the depth of the problem became clear." (Click here to read more).
Happy reading on this holiday weekend.

Friday, August 26, 2011

PCI Tokenization Buyer's Guide Available


I am very pleased and excited to tell you about a project I just completed. That project was to write a buyer's guide for tokenization. The project was sponsored by Intel Corporation. While they got to look at the draft, I (and my colleagues at 403 Labs) had complete editorial independence and control. The result is a vendor-neutral, technology-neutral discussion of tokenization, how it might reduce your PCI scope, how to evaluate alternative vendor products, and what you can expect.

Together with the guidance from the PCI Council, I hope this Buyer's Guide will help merchants determine if tokenization is right for them, and if it is how they should evaluate their options. If your bookstore, food service operation, parking garages, or other auxiliary organization has any retail-type payment activities, they likely are (or should) be looking at tokenization as a way to reduce their PCI scope. This guide was designed for them.

You can download a pdf of the white paper at Intel's website. I hope you find it useful.

Monday, August 22, 2011

Visa on How to Detect a Security Breach

Visa just released a very interesting slide deck entitled Identifying and Detecting Security Breaches. You can see it by clicking here. The presentation illustrates some of the signs of a potential incident among other things.

The presentation makes interesting reading, and you may want to read it along side your own incident response plan.

I particularly like the emphasis on logs and logging. Having a good logging system is critical to detecting security breaches, and Visa emphasizes this point. They also discuss the basics of incident response management (which is why you may want your own plan nearby).

I suggest you download the material, and while your at it, surf over to Visa's website and download their excellent What to Do If Compromised document. I always send a copy to clients before starting a new engagement.

PCI DSS Point-to-Point Encryption Guidance Soon?

Like many of you, I am looking forward to the PCI Council's guidance on point-to-point encryption. A lot of schools are talking to vendors about POS devices that promise to take their systems out of scope. Some schools are buying these terminals, and I have to admit they seem attractive. Before you go too far, though, I recommend you take a look at what the Council is saying, and what they might say, about how P2PE (the unfortunate acronym) can reduce your PCI scope.

The place to begin is to download the excellent "Initial Roadmap: Point-to Point Encryption Technology and PCI DSS Compliance v 1.0." This document came out last October. It lays out a lot of the details and what to look for in a P2PE system. What we are all eagerly awaiting, though, is the follow-on document promised before the end of this year: the actual "Validation Requirements for Point-to-Point Encryption." The Council promises:

It [the Validation Requirements] will define requirements and the process for validating effective P2PE solutions. Its intended audience is vendors, assessors, and labs that may evaluate the testing procedures associated with key management, segregation of duties, access controls, and other necessary criteria.


Here are some things to keep in mind as you look at solutions in the market today.

First, please understand P2PE only affects the transmission of cardholder data. It says nothing about storage or processing. The Roadmap document makes this clear in several places. Second, keep in mind that this is an integrated hardware-software-provider solution, and all three parts have to work for it to be effective.

Then look at the advice on how to implement the system:

  • Encryption is performed immediately after reading the data through contact-based (EMV), magnetic stripe, contactless, PAN key entry or Near Field Communication [NFC] methods.
  • The portions of the merchant environment that no longer require validation have no access to: plaintext CHD, cryptographic keys, or a decryption function that would allow encrypted data to be decrypted.
  • CHD (including any sensitive authentication data) cannot be decrypted until received by a validated decryption point such as a segmented portion of the merchant network or processor/acquirer network.
  • P2PE solutions including devices, key management practices, and encryption and decryption environments are independently validated.

The Roadmap has four conclusions: the technology is immature (meaning don't necessarily believe everything you might be promised); P2PE can move only the transmission part of your transactions out of scope (if properly implemented and validated, of course), meaning your payment application may still be in scope depending on where the two "points" are; P2PE does not make PCI DSS compliance go away (i.e., silver bullets are still outlawed); and you need independent validation of the P2PE solution, particularly the encryption/decryption process.

It is this last part where I expect to see the Council announce a program modeled on PCI PTS. That is, there will be independent testing labs that will validate devices (and their underlying software) for compliance, much like they test encrypting PIN devices today. This will give vendors a clear path to get their devices approved, and it will give you confidence that what you buy and install will reduce your PCI scope.

Let me make it clear I have no inside information. I am not part of the task force, and I have no insights into the Council's deliberations. However I do expect a guidance document to be issued soon (it is getting late in 2011, after all).

P2PE is an exciting and promising technology to reduce PCI scope for many merchants operating in a card-present environment. Like tokenization, there will be lots of issues to address in any implementation. In the meantime, if you have any interest in point-to-point encryption (and I expect almost all of you dear readers will), download the Roadmap and read it carefully. It may help you with your intermediate decisions, and it will help you understand the final guidance document when it comes out.

Tuesday, August 16, 2011

I'm Here For Another Year

Earlier this month I took my annual QSA re-training and then the re-qualification exam to continue being a QSA (for my third year). For those of you who don't know, the PCI Council requires all QSAs to go through this process each year. The good news is it looks like I'll keep doing this for a while.
The re-qualification training has changed quite a bit. It is computer-based, and it has improved each year. This year there was a lot of focus on PCI version 2.0 changes as well as the supplementary guidelines issued by the Council. The refresher on the actual PCI DSS Requirements was pretty cursory, as you would imagine for a current QSA, but there was some additional material that was quite well done.

The test was a series of multiple choice questions on everything PCI and payment cards. My biggest problem was arguing with the test because I could make a case in a couple of instances that several answers were true. I know talking back to a computerized test is neither very useful nor productive, but I felt better. All of which is to say I likely didn't score 100%.

I'm looking forward to another year of blogging, working with my clients, and definitely another year of the Treasury Institute's PCI Workshop. I hope to see many of you there next April.

Monday, August 15, 2011

Passwords Don't Have To Be That Hard

One of the issues that most frustrate users is passwords. They have to be long, they have to be complex (i.e., upper and lower case, numbers, symbols), and they have to be changed regularly. PCI Requirement 8 has an amazing number of detailed requirements for passwords.

So how do you enforce a compliant password policy without everyone either (a) writing their passwords on yellow sticky notes attached to their screens, or (b) threatening you when you show your face in their office? Here are some thoughts.

Personally, I use 1Password to manage my (strong) passwords. There are also various other programs, many of which are free. I just like that one (along with a lot of other security pros for whom I have a lot of respect).


MAKE your password strong, with a unique jumble of letters, numbers and punctuation marks. But memorize it — never write it down. And, oh yes, change it every few months.

These instructions are supposed to protect us. But they don’t.
Part of the reason is that it is tough to follow those instructions.

But there are other approaches. For example, please take a look at this great column from the New York Times. The author emphasizes that it is the length that is important in passwords:

Here’s a little quiz: Which is the stronger password? “PrXyc.N54” or “D0g!!!!!!!”?

The first one, with nine characters, is a beaut. Mr. Gibson’s page says that it would take a hacker 2.43 months to go through every nine-character combination offline, at the rate of a hundred billion guesses a second. The second one, however, is 10 characters. That one extra character makes it much, much stronger: it would take 19.24 years at the hundred-billion-guesses-a-second rate. (Security researchers have established the feasibility of achieving these speeds with fairly inexpensive hardware.)

Don’t worry about the apparent resemblance of “D0g,” with a zero in the middle, to the word in the dictionary. That doesn’t matter, “because the attacker is totally blind to the way your passwords look,” Mr. Gibson writes on his Web site.

Wowsers. If I can remember the number of exclamation points (or ^s or &s or whatever), then I can have a strong password that I might be able to have users remember.

But for genuine wisdom (and I do not use that term lightly!), you have to see the blog post by my colleague Jeff Zellman at the 403 Labs blog. He writes:

What many people fail to realize is password cracking is done by automated computer programs. These programs are fairly sophisticated and try all the characters on the keyboard (not just letters!). Shorter passwords are easier to guess since there are less characters to match. Just like a 3-ball lottery is easier to win than a 7-ball one.

Now imagine the difficulty of winning a 44-ball lottery.

You actually have to see the accompanying cartoon (talk about wisdom!) to get it, but the point is that we can help users create strong passwords (high entropy) using passphrases that they can remember.

Computers can crack passwords (eventually), but people have to remember them. Too often when we are working on PCI compliance we forget that humans have to implement the requirements or they won't stick. Passwords are no different.

Let's see... "correct horse battery staple"... Read Jeff's post and you'll get it.

Maybe your users will, too.

Saturday, August 13, 2011

Tokenization Guidelines Released

Friday, the PCI Security Standards Council released it long-awaited tokenization guidelines. You can click here to get a copy.

I wrote about it on the 403 Labs blog , so I won't repeat myself. Also, Evan Schuman did a great job summarizing the implications on StorefrontBacktalk.

If you are contemplating tokenization at all, do yourself a favor and download and read carefully the Council's guidelines (along with the blog posts above). Especially see the very end of the guidelines where they talk about "high value tokens." In a lot of cases, your tokens might be these "high value" ones, and if so, they may be in scope for PCI...!


Thursday, August 11, 2011

Visa Supports EMV Cards - Can You Skip PCI Revalidation?

The two thoughts in the headline. While they might seem to be unrelated, actually are part of the same idea.

In case you missed it, Visa released four (!) bulletins on Tuesday about their plans to accelerate the acceptance of chip technology for both card and mobile device transactions. What follows is a brief discussion of each of the releases, links to the original docs, and a few editorial comments (as if you had to ask...).

The first bulletin describes Visa's plans to "accelerate the migration to contact and contactless EMV [named after the three organizations behind the standard: Eurocard, MasterCard, and Visa] chip technology in the United States." It is a great overview of Visa's strategy, explains the technology a bit, and links to the following three bulletins.

In a second bulletin, Visa describes the details, particularly incentives for merchants to upgrade their POS devices to process chip transactions. The carrot: "Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation requirements to encourage merchant investment in contact and contactless chip payment terminals."

Wowsers...did Visa just say they were waiving PCI compliance!?! No, the did not say that. What Visa said was that effective October 2012, if a merchant (1) had validated its compliance in the last 12 months, (2) didn't store sensitive authentication data (like the security codes or mag stripe), (3) was not involved in a cardholder data breach, AND (4) processed at least 75% of their transactions on "dual-interface EMV chip-enabled terminals", they could participate in the Technology Innovation Program (TIP).

Under TIP, the merchant does not need to RE-VALIDATE compliance each year. You still have to be compliant, and if you get breached the same penalties presumably will apply, but you don't have to re-validate your PCI compliance.

This TIP program (already available in Europe) is what has lots of people buzzing. What does it mean for Higher Ed? I've got some thoughts (naturally!), and they are a bit further down.

Who ever heard of a carrot without a stick? Certainly not Visa, and the "stick" is in a third bulletin. This one describes a liability shift. Simply put, after October 2015 (note the different date) the rules for who is responsible for POS fraud shifts: "This policy assigns liability for counterfeit fraud to the party that has not [Visa's emphasis] made the investment in EMV chip cards (issuers) or terminals (merchants' acquirers)."

Many observers and blogs are missing this liability shift. Read it carefully. It looks to me like Visa wants everybody in the US to have a chip card by 2015.

Therefore, if a merchant and/or acquirer (or processor) doesn't buy POS terminals and upgrade their back office systems to process chip transactions, they eat any and all POS fraud.

The fourth bulletin is the acquirer/processor mandate, and it mainly contains technical details on Field 55 and other message elements.

What does this mean for Higher Ed? Should you go out and start pricing EMV chip-enabled POS terminals for everybody? Do you have to? How much will TIP save you if you qualify?

Good questions all. First some full disclosure: I am a QSA, so I might be biased in some of this; also I used to work for Visa, and those were some of the happiest years of my professional life, so again I might be biased. Given all that, here are some thoughts to get us started...

Kudos to Visa for showing leadership. The US is far behind the rest of the world in terms of card technology. As a cardholder I applaud what they are doing. Even if fewer companies need QSAs, I'm willing to start polishing my resume. Besides, nobody waived PCI compliance, just the formal re-validation (once you have validated). I hope I don't have to wait until 2015 to get my chip card.

Will the other brands follow suit? When will we see MasterCard's, Amex', or Discover's chip acceleration plan? If they don't, any benefit from TIP will be reduced to about zero since those brands will still require PCI compliance re-validation.

Speaking of a carrot...what carrot!?! I don't see how anyone but the biggest (Level 1 and some Level 2) merchants get any benefit from TIP. Smaller merchants don't hire QSAs to prepare a Report on Compliance (ROC), they hire QSAs as consultants. So not requiring one is no big deal. Also, in the past the card brands offered incentive (i.e., lower) interchange rates to offset the cost of merchant technology investment mandates. Here, there is no incentive. Think about it: the card brands introduce a "tax" on all merchants called PCI compliance; one brand then offers to waive the tax if you spend money on technology. To me, that's just giving you back your own money. TIP seems to cost Visa and its issuers not a penny.

Doesn't waiving PCI compliance re-validation hurt security? Visa said their objective was increasing security by encouraging chip technology. I think we have to wait and see if waiving formal compliance re-validation causes merchants to get lazy and backpedal on security.

What about MOTO and ecommerce? Good question. These announcements only dealt with POS transactions. As far as I can tell, chip cards won't help much when the card isn't present. Plus, remember the cards still have mag stripes.

What does this mean for Higher Ed? My guess is it means very little in terms of incentives. However it does mean that you need to have the "dual-interface EMV chip-enabled" POS devices at least by October 2015. It might be time to talk to your acquirer/processor and look at your technology budgets. Then again, if you don't have much POS fraud, maybe you can skate along for a while. I wouldn't advise it, but...

For a great post and discussion, surf over to Securosis and have a read.




Tuesday, August 9, 2011

Don't Miss Patch Tuesday

Microsoft released quite a package of thirteen security patches today. You can check out the list at SANS (click here) and here's a link to Microsoft's Technical Bulletin.

This update has some patches you don't want to miss, particularly to Internet Explorer as well as your DNS servers. The IE patches are particularly important as there are known exploits available and in the wild.

Thursday, July 21, 2011

Data Breaches are Real

Your campus merchants are ripe targets of opportunity for hackers and phishers.

If you haven't seen this article in the Wall Street Journal online, I recommend you read it. It is about a small business that downloaded some malware (very easy to do; very tough to eliminate once you do), and as a result they suffered a major data breach. Well, maybe not "major" in the sense of making the headlines, but it nearly put one small business out of business.

The moral of the story is simple: this could happen to you...to your campus...to your auxiliary organizations like parking or bookstore or any other campus merchant.

Please give a thought to passing this link to your campus merchants. I'd also suggest you make stories like this a part of your security training.

The bad guys are increasingly targeting small and medium sized businesses. With the typical open networks and varying degrees of security on most campuses, you should consider yourself at risk every day. Which reminds me, have you taken a look at your latest vulnerability scans? When was the last time you updated anti-virus and installed patches on ALL your systems?

Please don't be the next one in a headline. It'll surely ruin your day.

Monday, July 11, 2011

Credit Card History

I'll admit it: I am a credit card junkie. For others similarly afflicted or those who might want to see what it is like, take a look at a post at MSN Money on "18 Fun Facts about Credit Cards". There is nothing new here, but it is a good collection of some historic milestones in the plastic payment business.

Higher Ed Credit Card Agreements

Does your school have a co-brand credit card agreement? Usually, it will be your Alumni Association, Foundation, or even the Athletics or an academic department that has partnered with a bank to issue one of these co-branded cards. If you have one of these, you may want to compare your program with your peers. Thanks to the Federal Reserve and the Credit CARD Act, this is possible.

The Federal Reserve has released its second "Report on College Credit Card Agreements." A copy is available for download at the Fed's site (click here to download a pdf version).

By way of background:
Section 305 of the Credit CARD Act and the Board’s implementing regulations, 12 C.F.R. § 226.57(d), require credit card issuers to submit to the Board each year a copy of any college credit card agreement between the issuer and an institution of higher education or an alumni organization or foundation affiliated with an institution of higher educa- tion (an “affiliated organization”) that was in effect at any time during the preceding calendar year. Issuers also are required to submit the following informa- tion with respect to each agreement: (1) the number of credit card accounts opened pursuant to the agreement (“college credit card accounts”) that were
open at year-end (regardless of when the account was opened); (2) the amount of payments made by the issuer to the institution or organization during the year;2 and (3) the number of new college credit card accounts that were opened during the year.

Issuers were required to make their second annual submission to the Board by March 31, 2011. This submission comprised college credit card agreements to which the issuer was a party during 2010 and information regarding payments and accounts as of December 31, 2010.
The document mainly contains tables of individual Higher Ed institutions' programs, but there is some text and lots of footnotes. There is also an online database of the agreements.

Compliments to the folks at Payments News for pointing out this information.

Friday, June 24, 2011

Mobile Payments Update from PCI Council

The PCI Council has released their plans for PA-DSS validation for mobile commerce applications. In an announcement to Participating Organizations, they stated:

In November 2010 the Council announced that it would no longer accept mobile payment acceptance applications for PA-DSS review or validation until a thorough review was completed. Understandably, this was met by mixed reactions in the industry. While some applauded the decision - recognizing the very real complexity and security concerns these applications present - many of you eager to take advantage of the benefits of mobile payment processing, were frustrated as to why this step was taken.

This was the first and necessary step that has allowed us to confidently give you clear direction now as to what types of applications can allow you to accept and process payments securely and support PCI compliance.

[Friday] the Council will publish an updated statement on PA-DSS and mobile payment acceptance applications, accompanied by a fact sheet designed to help in identifying and determining which payment applications can be reviewed and validated by the Council as secure for accepting and processing cardholder data and support merchant PCI DSS efforts.

In evaluating these applications in light of our standards, we've determined that the major risk is the environment that application operates within, and whether or not it can it support a merchant's PCI DSS security efforts. Based on this evaluation, we've now identified the types of solutions that can meet PA-DSS requirements and support a PCI DSS compliant environment.

We've also determined the area where solutions can't currently meet PCI requirements - and now we are looking at this closer to see if and how these can be secured, collaborating with industry subject matter experts to produce additional guidance by the end of the year.

We recognize that you have been eagerly awaiting an update from the PCI Security Standards Council on how you can be sure the mobile payment applications you're deploying can accept and process payment cards securely, and we hope you'll take advantage of this first step with these resources today.

You can download a copy of the release by clicking here.

The good news is that for new mobile payment applications for their Category 1 (using PCI PTS devices) and Category 2 ("bundled" hardware and software devices), the door for PA-DSS validation is open. Unfortunately, I'd plan on about a year before there are PA-DSS versions of apps to run on your smartphones.

Meantime, another realistic option is to go for a hardware solution. This is in two parts. First, you will need a secure, likely PTS-listed device to read the mag stripe on the cards. This could be a "sled" or a Square-like plug-in attachment. Then (here's the big part) using the guidance expected soon on point-to-point encryption, a vendor can combine the device with encryption to take the phone itself out of scope. While the merchant won't have the functionality of a full payment app (which is what everyone really wants), they will be able to take cards securely using a mobile device.

There will be more developments in the coming months. Stay tuned...

Thursday, June 23, 2011

How Good is Your HR Policy?

The second part of the headline is: "...and Why You Should Care."

What I'm talking about is what happens when you dismiss someone or they decide to leave? How long does it take your HR and IT departments to cancel their user IDs and privileges?

PCI actually has a bit to say about your procedures, and even if you fill out a simplifed SAQ, you should take a look. For example, Requirement 3.5.6 says that if the employee who leaves happens to be an encryption key custodian, you change your encryption key(s). It sounds pretty simple and obvious when you think about it, but will you know of this rather important detail when that happens? Does HR? Does IT know to tell HR (or vice versa)?

Then again, there is our old friend 8.5.4 which requires you to revoke immediately (the Council splits that infinitive, but ...) the password of any terminated employee. But what does "immediately" mean? To me, it means certainly no later than close of business the employee's last day. If you want a classic example of what can happen, you might want to check out this post from SANS.

You may want to terminate the user's ID the day before when the termination is "for cause." And it may be a good idea either to terminate privileges two-weeks (or whenever notice is received) in advance for an employee who is leaving voluntarily. In this last case, you might at least restrict severely the permissions the employee has.

In these difficult times, it makes sense to look all aspects of where PCI can protect your institution.

Friday, June 17, 2011

How the Stolen Card Market Works

There were a couple of interesting reports on NPR today. Each covers much of the same ground, but they provide some interesting background for all of us in the card business.

Here are a couple of links:

How to Buy a Stolen Credit Card

The FBI Agent who Broke the Black Market

Also, here is a podcast from PlanetMoney with Keith Mularski (same guy) on dark market and the how credit cards get stolen and fenced.

The bad guys are out there. They go for credit cards because (of course) that's where the money is.

Monday, June 13, 2011

PCI Virtualization Guidance Published

The PCI Council's Virtualization Special Interest Group (SIG) just released their report. You can download it here.

I'd recommend it to any school looking at or implementing virtualization in their PCI network.

Thursday, June 2, 2011

News From the PCI Council

As all of you know (I hope), NACUBO is a Participating Organization with the PCI Security Standards Council. As NACUBO's representative, I get a periodic newsletter from the Council with updates and news. Often, these newsletters are pretty dull, but the current one has some interesting information I -- in my role as your representative to the PCI Council -- want to share with you.

There is good news (I hope) for all of you looking at virtualization as potential technology that can make PCI compliance easier and less costly. The good news is that the Virtualization Special Interest Group has delivered its report, and the Council will be releasing it soon. Here are some details from the newsletter:
I know you've all been eager for the Council to release the findings of the Virtualization Special Interest Group (SIG). Thanks to their hard work and collaboration with the Council's Technical Working Group, guidance on the use of virtualization in accordance with the Payment Card Industry Data Security Standard (PCI DSS) will be released this month! We'll be hosting a webinar at the end of June to provide greater detail on the information supplement and address your questions.

To register for the Tuesday, June 28th session, click here.

To register for the Thursday, June 30th session, click here.
Another piece of good news is that the Prioritized Approach 2.0 (to match PCI DSS v 2.0) has been released. There are some good improvements in this version. If you are interested in this or if you wish to use it with the current version of PCI DSS, you can download a copy at the PCI Council's website.

The Council is offering a range of PCI training options. You can view the schedule (and pricing) for their instructor-led and online PCI training courses here. I guess I'd be remiss if I didn't also mention the Treasury Institute's own PCI training. The two are different: the Council focuses on the PCI DSS itself, where the Institute's workshops emphasize hands-on case studies of what other schools have done to become compliant (along with a PCI briefing). The training sessions are complimentary, so even if you have been to the Treasury Institute workshops, it may make sense to check out the Council's offerings.

Lastly, for all you PCI fanboys, you now can follow the comings and goings of the world of PCI on LinkedIn. Click here to follow the Council.

Thursday, May 26, 2011

Visa Chargeback Publication: More than Meets the Eye

I recommend every one of you who is responsible for payments, card processing, PCI for your campus download a copy of Visa's Chargeback Management Guidelines for Merchants (click here). It's a long pdf, but it is worthwhile.

Here are some of my favorite parts, and you'll notice this document (which I first learned about from Branden Williams' excellent blog) has a lot more than just Chargebacks. Actually, it's a pretty good primer on payment cards.
  • Starting on page 10 is a great "Payment Card 101" that describes how a credit or debit card transaction flows through the system. The graphics are a lot slicker than the version I developed when I was at Visa (after all, it has been about 15 years!), and there is good text, too.
  • Page 14 offers a description of "convenience fees." The short answer is "the merchant must [Visa's emphasis] adhere to Visa rules." Want to know what the rules are? Simple... "please contact your acquirer."
  • Also on page 14 is one of my favorite topics: transaction laundering. It says that "Depositing transactions for a business that does not have a valid merchant agreement is called laundering. Laundering is not allowed." That means you don't process for unrelated third parties using your merchant ID. In fact, I wouldn't even allow a third-party merchant on my network. Either it is laundering (I call this "LaunderNet") or you are a Service Provider, and each is bad news from a risk and PCI perspective.
  • Page 15 tells you not to do cash or check refunds for card transactions. You are supposed to issue a credit back to the original card used. Even if it isn't a Visa requirement, this procedure is a good idea since it prevents another form of transaction laundering: charging a transaction with someone else's card (e.g., their parent's or roommate's, with or without permission) then getting a cash refund. Bad news all around.
  • Page 17 talks about your third-party service providers.
  • Check out page 22 for good advice on your POS receipts.
  • Page 35, and later page 80 cover the CVV2 (the security code on the back of the card).
  • And of course, if you actually want to learn more than you ever wanted to know about chargebacks and copy requests, that all starts getting serious around page 41.
That Visa released this to the broader merchant community is to be commended. Good job! so do your part and download it now.

Beware of Changes to SAQ C

Many schools use SAQ C for auxiliaries or other businesses. Sometimes, they will have a point of sale (POS) system that doesn't store cardholder data, but that accesses the Internet for authorizations. If that is you, read on, because a change to PCI v 2.0 may mean you no longer can use SAQ C.

SAQ C previously had five requirements:

  • the payment system and an Internet connection had to be on the same device
  • that device was not connected to any other system in the merchant’s environment
  • the merchant kept only paper reports or receipts
  • the merchant stored no electronic cardholder data
  • remote vendor support was managed securely.

The payoff for meeting these requirements was that a school or campus merchant could qualify to use this simplified SAQ and avoid the much longer, more involved, and significantly more costly process of using SAQ D.

Unfortunately some of you will no longer qualify to use SAQ C. The reason is that SAQ C now includes an additional, sixth requirement:

  • your company store is not connected to other store locations, and any LAN [local area network] is for a single store only.

This change means if your bookstore or food service operation or whatever supports a branch or second (or more) location(s) using their single POS system, they would need to use SAQ D.

The change to SAQ C will affect many universities that have retail or food service operations, and support multiple campus locations with a single POS system. I doubt cashiering operations will be affected very much.

We talked about this issue at the Treasury Institute's recent PCI workshop. I described the changes as part of covering what is new in PCI 2.0. It surprised me how many schools had not noticed the change in the SAQ. I admit it is a subtle change, but it is an important one for a lot of schools. It likely means they either have to license some additional POS applications so they have one for each location, or they are thrown into SAQ D.

If this situation describes your campus, I suggest you get to work on it now and not wait until the last minute. I hate to be the bearer of bad news, but better you should know than get caught up at the last moment

Friday, April 15, 2011

Is Your Website Sending Spam?

I just saw an updated story on how a number of Higher Ed and government sites have been hijacked by spammers. The sites are used to redirect people to fake online stores.

Are you on the list?

According to the original post at Zscaler there seem to be about a hundred schools that have been compromised including (according to them):
  • UC Berekely
  • Harvard
  • Purdue
  • Oklahoma State, and
  • Australian government
The fake stores claim to sell discounted Microsoft and Apple software. Heaven only knows what they are really doing, but the point is that you don't want your institution being part of it.

And the QSA in me has to wonder if parts of the institution's website has been compromised, what about the rest of the site? For example, are you sure your campus merchants who re-direct customers to third-party hosted order pages are really sending them there and not to badguys.com?

Thursday, April 7, 2011

Get Ready for Increased Phishing Attacks on Campus

If the phishing season were not already open, the Epsilon data breach certainly opened it. I recommend two recent articles that you should read and digest.

Over at Threatpost, there is an interview that highlights the vulnerability of higher education institutions. An excerpt is:

Threatpost: What trends are you seeing in the phishing arena these days?

Aaron Higbee: We’re seeing a lot of attacks aimed at verticals like government, financial services, insurance, health care and especially education. You wouldn’t have thought that education would be on that list, but we see a lot of universities targeted.

Threatpost: Why is that?

Aaron Higbee: Students are vulnerable. They’re required to put their Social Security Number into different forms, so they’re susceptible to being phished.

For the best summary of what to expect, surf over to the always informative and insightful blog by Brian Krebs. In this post he assesses the situation and offers some good advice and warnings for your users, particularly staff. This is required reading.

If you ever doubted why PCI requires you segment (read: isolate) your payment environment from other applications and systems in your environment, the Epsilon and RSA data breach should make the wisdom of that requirement clear.

Have a read, then take a look at your own training to make sure you minimize the possible risk to your institution from the expected surge in phishing scams.

Thursday, March 17, 2011

RSA Data Breach and Your Two-Factor Authentication

As we all know, breaches happen. In an open letter to its customers, RSA, the security division of EMC, announced that they had suffered a security breach:

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
I am not going to speculate on anything, but you should be aware of the situation and monitor developments. After RSA's own statement, a good place to go is the Securosis blog which has its own summary of the situation. Since they did a better job than I could, I'll let you read their analysis of the situation and open questions.

Clearly this is no fun for anybody. But if you use RSA 2-factor authentication -- and who doesn't -- it is worth your monitoring developments.

Wednesday, March 16, 2011

Your Campus Hotel is Targeted

If you have a hotel or conference center on your campus, assume it is targeted by criminal hackers who want to get the stash of payment card information they keep.

I've written about this issue before (see here, here, and here). Three major hotel associations issued a joint statement today warning of cybercriminal attacks. Their basic recommendations were:
1. Eliminate EVERY default password on EVERY machine on your network -- server, workstation, router, firewall, and any other device that has a password. The most important machines to check are the ones you think are NOT vulnerable, such as a PC on an engineer's desk for monitoring building systems, or the PC in the parking garage attendant's office, or the one in a closet running your keycard system.

2. Eliminate holes in remote access to systems inside your network.

3. If you don't have a firewall, buy one and install it. If you are connected to the Internet without one, then people you don't know, from around the world and many with malicious intent, are reaching into your network. A recent University of Maryland study counted more than 2,200 attacks on an average Internet-connected computer every day -- equating to one every 39 seconds. If that computer is in your hotel, and if their intent is to steal credit card data, they will probably succeed.
The release also endorses PCI DSS compliance. This is actually pretty smart given their three recommendations are pretty well covered by PCI Requirements: 2.1; 8.3 and 8.5.6; and 1.1 (and all its sub-sections), respectively.

The point is to share this information with your campus hospitality and conference organization. Let them know they are targeted, and to be PCI compliant every day -- not just the one day a year when you do your assessment. If you are not or cannot be PCI compliant today, do your best to protect your network perimeter and at least get rid of a lot of cardholder data that you probably don't need anyway.

Keep in mind the cybercriminals are very smart and well financed. You might also note that as far as I can tell, there are only two kinds of computer systems out there: those that have been breached, and those that are going to be.

Friday, March 11, 2011

Japan Earthquake and Phishing Scams

In the aftermath of the tragic earthquake in Japan, we can anticipate a swarm of fraudulent websites springing up offering video and opportunities to make contributions to victims. This might be a good time to warn everybody of the phishing risks. The bad guys have no morals, and you can expect your users to receive emails and be searching websites for videos.

The SANS Storm Center contains the following warning and advice:

There will probably be some emails scams and malware circulating regarding the recent Japanese earthquake that occurred overnight.

Be aware off

Fraudulent Organizations: If possible, donate to organizations you know and trust, not to new organizations just set up for this particular event. The IRS maintains a list of tax exempt charitable organizations [1]. This list is not 100% up to date, and it takes a while for a new organization to be added. But it can serve as a first sanity check.

Malware: Malware may be advertised as a video report of the event or come under other pretenses.

You might want to alert your users to be particularly vigilant during this period, both at work and at home.

Thursday, March 10, 2011

Vote for NACUBO on PCI Board of Advisors

If your institution is a Participating Organization on the PCI Council, this post is for you. Specifically, I would like to ask you to vote for NACUBO's nominee to the Board, MaryFrances McCourt. Electing MaryFrances would not only add a very qualified professional (to an already impressive Board), it would give Higher Education a voice at the table where PCI decisions are made.

The PCI Council is holding elections for its Board of Advisors. There are nominees from merchants, financial institutions, and vendors. The top vote getters serve a 2-year term. This is why I am asking if your institution is a member, you make sure to vote for NACUBO's nominee as your top (and maybe only) choice.

Voting is open now and continues until April 8.

MaryFrances is Treasurer of Indiana University. She is active in industry and professional activities outside of IU, and she has been an active proponent of PCI compliance at IU and other forums nationwide. Her hands-on experience in dealing with achieving PCI compliance in an extremely complex environment (a large university) means she can represent Higher Ed's issues and perspective to the PCI Council. Please understand that while MaryFrances works for IU, as a member the PCI Board of Advisors she would represent NACUBO and all Higher Ed, not her institution.

If you are reading this blog and you are not a Higher Ed institution, that means that as a vendor, perhaps, Higher Ed is important to you. May I ask that you please consider voting for MaryFrances and NACUBO as being in both your and your customers' interest?

If your school is a are Participating Organization, make sure you vote for NACUBO's nominee. It is in your own self interest and that of your colleagues at Higher Ed institutions nationwide.

Tuesday, February 22, 2011

PCI DSS Webinars

I will be doing a series of four webinars for Heartland Campus Solutions. Here are the dates and times:

  • March 4, 11 am Eastern
    Payment Card Industry Data Security Standard (PCI DSS):
    What it is and why it matters to Higher Ed institutions

    The first session in a 4 part webinar series helping campuses understand PCI DSS and how it impacts their campus.

  • March 17, 11 am Eastern
    Validating your PCI Compliance:
    A Self-Assessment Questionnaire Clinic

    The second session in a 4 part webinar series helping campuses understand PCI DSS and how it impacts their campus.

  • March 24, 11 am Eastern
    Third-Party Service Providers and Outsourcing:
    A fast track to PCI compliance?

    The third session in a 4 part webinar series helping campuses understand PCI DSS and how it impacts their campus.

  • April 7, 11 am Eastern
    Your Campus PCI Survival Guide
    The fourth session in a 4 part webinar series helping campuses understand PCI DSS and how it impacts their campus.
You can learn more and register for one or more of the webinars here (you may need to scroll down a little). And before you ask, no you don't need to be a Heartland customer to listen and participate (lots of questions, please!) in any one webinar or the whole series.

For those of you new to PCI (or with colleagues in that situation), these will hopefully be a solid introduction to the standard, especially if they are attending the Treasury Institute's PCI Workshop in May.

I hope to "see" many of you there.

Tuesday, February 1, 2011

PCI at Educause Security Conference

I am looking forward to presenting at EDUCAUSE's 2011 Security Professionals Conference. The topic is PCI Compliance in Higher Education, and it will be a practical review of PCI DSS together with some best practices for achieving and maintaining compliance in a Higher Ed environment. Here's more on the conference:

The Security Professionals Conference connects information security professionals, security analysts and engineers, IT staff, privacy officers, C-level executives, and others from across the higher education community. It is the premier forum for strengthening the ability of the higher education sector to protect information assets from the changing threat vectors and respond to the ever-increasing compliance requirements imposed on the higher education community. The Security 2011 conference, "Setting a Course for Collaboration and Innovative Solutions," will focus on security topics that span the information assurance measures of people, process, and technology.

I am doubly excited to be presenting at EDUCAUSE's security conference. First, because they gave me a half-day (3.5 hours...better bring coffee!) at this premier event; and more importantly, because it is a chance to meet with a great group of IT and security people from institutions nationwide.

Here's the plan. The session is Seminar 01-P on Monday, April 4. I'll start out exploring the PCI ecosystem including PCI DSS, PA-DSS, and the card brand mandates. This will be a quick intro for some and review for others. I'll also cover some best practices for meeting what I call PCI Requirement 0 (Reducing scope). That will include outsourcing and related topics. I also plan to delve into changes in PCI version 2.0 and especially the new SAQ C-VT, as well as all the SAQs. I'm looking forward to lots of questions: the last time I did this I got to about my third slide before I was slammed with questions and we went off in whatever direction the audience wanted! I sure hope they have a whiteboard or flip chart.

If EDUCAUSE is in your plans, I hope you will register for my Monday afternoon seminar. Even if you don't like PCI, it's a chance to get to San Antonio a little early and enjoy that beautiful city a bit longer.

Friday, January 28, 2011

Level 2 Schools (And Maybe Everybody Else) - Read This

The PCI Council now has the full schedule of Independent Security Assessor training on its website (click here to view). Why is this important to all Level 2 Higher Ed institutions? Because under the new MasterCard validation requirements, you either have to have an ISA sign your Self-Assessment Questionnaire (SAQ), or you get to hire a QSA (did I give you my email???) to do it. And as everybody knows, if you are Level 2 for Visa, you are Level 2 for MasterCard even if you have only 1 transaction on that card.

It is great the Council has published the full 2011 schedule. Now you can plan which will be the best one for you. I recommend you surf over and have a look. The ISA training is a bit different this year:

Beginning in 2011 the New ISA training course will have a new look and feel to it to accommodate many of the suggestions the Council has received on the course. The course will consist of two parts: an on-line course followed by a short exam and a two-day instructor-led session ending with an exam.
You should note that only five of the courses are in the US. The other are at other cities worldwide, so depending on your budget you can choose between San Diego or Sydney. There are some basic requirements to qualify for the training, and you can learn all that at the PCI Council's website.

The training is not free: $2,595 for schools that are not Participating Organizations, and $1,595 for those that are. Yet another benefit for those Higher Ed institutions that become POs.

Speaking of price, did I mention that the Treasury Institute's PCI Workshop is a fraction of this price, although you don't get the 2-day in-depth training on every requirement, and you don't get the ISA certification. (Yeah, I know...it's a shameless plug, but what do you expect on the Institute's own blog!?!)

More and more larger institutions are finding that they are Level 2 merchants (over 1 million Visa or M/C transactions per year), and that they have a new PCI validation regime this year. I know this from my own experience with some of these institutions. If this describes your situation, you might want to take a look at this training.