Friday, June 24, 2011

Mobile Payments Update from PCI Council

The PCI Council has released their plans for PA-DSS validation for mobile commerce applications. In an announcement to Participating Organizations, they stated:

In November 2010 the Council announced that it would no longer accept mobile payment acceptance applications for PA-DSS review or validation until a thorough review was completed. Understandably, this was met by mixed reactions in the industry. While some applauded the decision - recognizing the very real complexity and security concerns these applications present - many of you eager to take advantage of the benefits of mobile payment processing, were frustrated as to why this step was taken.

This was the first and necessary step that has allowed us to confidently give you clear direction now as to what types of applications can allow you to accept and process payments securely and support PCI compliance.

[Friday] the Council will publish an updated statement on PA-DSS and mobile payment acceptance applications, accompanied by a fact sheet designed to help in identifying and determining which payment applications can be reviewed and validated by the Council as secure for accepting and processing cardholder data and support merchant PCI DSS efforts.

In evaluating these applications in light of our standards, we've determined that the major risk is the environment that application operates within, and whether or not it can it support a merchant's PCI DSS security efforts. Based on this evaluation, we've now identified the types of solutions that can meet PA-DSS requirements and support a PCI DSS compliant environment.

We've also determined the area where solutions can't currently meet PCI requirements - and now we are looking at this closer to see if and how these can be secured, collaborating with industry subject matter experts to produce additional guidance by the end of the year.

We recognize that you have been eagerly awaiting an update from the PCI Security Standards Council on how you can be sure the mobile payment applications you're deploying can accept and process payment cards securely, and we hope you'll take advantage of this first step with these resources today.

You can download a copy of the release by clicking here.

The good news is that for new mobile payment applications for their Category 1 (using PCI PTS devices) and Category 2 ("bundled" hardware and software devices), the door for PA-DSS validation is open. Unfortunately, I'd plan on about a year before there are PA-DSS versions of apps to run on your smartphones.

Meantime, another realistic option is to go for a hardware solution. This is in two parts. First, you will need a secure, likely PTS-listed device to read the mag stripe on the cards. This could be a "sled" or a Square-like plug-in attachment. Then (here's the big part) using the guidance expected soon on point-to-point encryption, a vendor can combine the device with encryption to take the phone itself out of scope. While the merchant won't have the functionality of a full payment app (which is what everyone really wants), they will be able to take cards securely using a mobile device.

There will be more developments in the coming months. Stay tuned...

Thursday, June 23, 2011

How Good is Your HR Policy?

The second part of the headline is: "...and Why You Should Care."

What I'm talking about is what happens when you dismiss someone or they decide to leave? How long does it take your HR and IT departments to cancel their user IDs and privileges?

PCI actually has a bit to say about your procedures, and even if you fill out a simplifed SAQ, you should take a look. For example, Requirement 3.5.6 says that if the employee who leaves happens to be an encryption key custodian, you change your encryption key(s). It sounds pretty simple and obvious when you think about it, but will you know of this rather important detail when that happens? Does HR? Does IT know to tell HR (or vice versa)?

Then again, there is our old friend 8.5.4 which requires you to revoke immediately (the Council splits that infinitive, but ...) the password of any terminated employee. But what does "immediately" mean? To me, it means certainly no later than close of business the employee's last day. If you want a classic example of what can happen, you might want to check out this post from SANS.

You may want to terminate the user's ID the day before when the termination is "for cause." And it may be a good idea either to terminate privileges two-weeks (or whenever notice is received) in advance for an employee who is leaving voluntarily. In this last case, you might at least restrict severely the permissions the employee has.

In these difficult times, it makes sense to look all aspects of where PCI can protect your institution.

Friday, June 17, 2011

How the Stolen Card Market Works

There were a couple of interesting reports on NPR today. Each covers much of the same ground, but they provide some interesting background for all of us in the card business.

Here are a couple of links:

How to Buy a Stolen Credit Card

The FBI Agent who Broke the Black Market

Also, here is a podcast from PlanetMoney with Keith Mularski (same guy) on dark market and the how credit cards get stolen and fenced.

The bad guys are out there. They go for credit cards because (of course) that's where the money is.

Monday, June 13, 2011

PCI Virtualization Guidance Published

The PCI Council's Virtualization Special Interest Group (SIG) just released their report. You can download it here.

I'd recommend it to any school looking at or implementing virtualization in their PCI network.

Thursday, June 2, 2011

News From the PCI Council

As all of you know (I hope), NACUBO is a Participating Organization with the PCI Security Standards Council. As NACUBO's representative, I get a periodic newsletter from the Council with updates and news. Often, these newsletters are pretty dull, but the current one has some interesting information I -- in my role as your representative to the PCI Council -- want to share with you.

There is good news (I hope) for all of you looking at virtualization as potential technology that can make PCI compliance easier and less costly. The good news is that the Virtualization Special Interest Group has delivered its report, and the Council will be releasing it soon. Here are some details from the newsletter:
I know you've all been eager for the Council to release the findings of the Virtualization Special Interest Group (SIG). Thanks to their hard work and collaboration with the Council's Technical Working Group, guidance on the use of virtualization in accordance with the Payment Card Industry Data Security Standard (PCI DSS) will be released this month! We'll be hosting a webinar at the end of June to provide greater detail on the information supplement and address your questions.

To register for the Tuesday, June 28th session, click here.

To register for the Thursday, June 30th session, click here.
Another piece of good news is that the Prioritized Approach 2.0 (to match PCI DSS v 2.0) has been released. There are some good improvements in this version. If you are interested in this or if you wish to use it with the current version of PCI DSS, you can download a copy at the PCI Council's website.

The Council is offering a range of PCI training options. You can view the schedule (and pricing) for their instructor-led and online PCI training courses here. I guess I'd be remiss if I didn't also mention the Treasury Institute's own PCI training. The two are different: the Council focuses on the PCI DSS itself, where the Institute's workshops emphasize hands-on case studies of what other schools have done to become compliant (along with a PCI briefing). The training sessions are complimentary, so even if you have been to the Treasury Institute workshops, it may make sense to check out the Council's offerings.

Lastly, for all you PCI fanboys, you now can follow the comings and goings of the world of PCI on LinkedIn. Click here to follow the Council.