Archive for April, 2017

28
Apr
17

The Five Stages Of PCI

Had a meeting with a prospect recently that is bound and determined to avoid PCI compliance yet still will accept payment cards.

My response?  Good luck with that!

You would think after 15 years of PCI (and actually even longer) that people would understand that PCI compliance is a fact of life.  But I continue to find that PCI is no different than the five stages of grief.

Denial

This is where that prospect is now.  They cannot believe that there is no way to avoid PCI compliance.

For once and for all, if your organization accepts payment cards, you MUST comply with the PCI DSS.  Do not like that answer?  There is nothing as a QSA I can do to effect that fact.

However, for merchants there is a way out.  Do not accept payment cards for payment.  It is that simple.

That answer though immediately leads to the next stage.

Anger

I once had a prospect tell me very emphatically that PCI was unenforceable.  I asked them if they had read their Merchant Agreement with the bank that allowed them to accept payment cards for payments.  To my astonishment they said, “What the [expletive] does that have to do with anything?”

You can be angry all you want but PCI compliance is a legal, contractual requirement documented in the Merchant Agreement, Card Operating Rules and other documentation referenced in those documents.  Someone in your organization signed that Merchant Agreement – most likely your Chief Financial Officer (CFO), Controller, Treasurer or heaven forbid – the person that is blowing their cork.  That is the person you should share your anger with, not me.  As a QSA, I am just the messenger.

Anger is even worse with service providers.  Particularly those that provide services tangential to card processing such as those that provide network, firewall or server management services.  They had no idea that their customer(s) needed them to be PCI compliant because they never realized that their service(s) could affect the security of payments.  These folks get totally blindsided by PCI compliance and hence their anger.

I have found that anger over PCI can last a long, long time with some organizations and people.  I still have clients that are angry about it.  It may be less aggressively displayed, but you can tell that they are still angry.

Bargaining

A lot of organizations get stuck in this stage.  They are bound and determined to find that “silver bullet” that somehow magically gets them to PCI compliance with the minimum amount of effort (i.e., none).  They know it is out there and all they need to do is find it.

Because of this stage and the fact that organizations get stuck in it, there are any number of “snake oil” PCI compliance solutions that prey on those in the ‘Bargaining’ stage.  All of them have “The Solution” that will solve your organization’s PCI compliance problem.  They have a pitch for every day of the week and for every situation.  Just ask them.  But at the end of the day, all of these solutions just address one or two PCI compliance issues and do not result in that magical “silver bullet” that those in this stage continue to seek.

Another indicator of organizations stuck in this stage are that they go through compliance and IT leaders like a teenage girl goes through boyfriends.  You immediately know an organization is in the ‘Bargaining’ stage as a QSA because you are always dealing with someone new every year.

Another telltale of a ‘Bargaining’ stage organization is that they are constantly arguing with their QSA over what PCI DSS requirements they need to comply.  PCI is not anything at all like “Let’s Make A Deal”.  It gets even worse when they argue the PCI DSS like it is a legal document and you get discussions over the meaning of the word ‘is’.  At the end of the day, your QSA or acquiring bank cannot cut you a deal on what PCI DSS requirements your organization can ignore.

The bottom line is that the absolute least level of PCI compliance any organization can have are the requirements documented in SAQ A.  Period.  There is nothing less than those requirements.  And SAQ A requires that an organization totally outsource to a third party everything related to card processing.  And I do mean everything.  Nine times out of ten, complete outsourcing is unacceptable to organizations who demand control over their business processes and the “look and feel” of their operations.

Depression

Once an organization realizes that there are no “silver bullets”, depression quickly sets in.  With some clients you can see depression get deeper with every data breach announcement that hits the media.  All they can imagine is that their organization is next.

Then there is the fact that PCI compliance is going to cause changes and cost people, time and money to address compliance gaps.  This is where a good QSA can be of great help.  A good QSA can give you options to minimize those resources.  Good QSAs understand that most merchants do not exist on huge margins and that investments with an ROI of more than three years are very painful and difficult to justify.

Unfortunately, in a lot of cases, there are not a lot of options available and even good QSAs are not miracle workers.  This is particularly true when the organization has not invested in infrastructure and application software in a long time.  Worse is when they have invested (usually heavily) in one or more of those “silver bullets” from the ‘Bargaining’ stage and they assist in their compliance efforts only minimally.

Acceptance

I would like to tell you that I have a lot of clients in this stage, but I do not.  Although the number is growing slowly but surely.

But the good news is that if you can get your organization to this stage, there are benefits.

The biggest benefit in my view is that organizations in Acceptance “get” security and why it is a necessary “evil” in today’s ever more connected world.  Never mind the PCI component.

Those at this stage are great to deal with because they have taken steps to minimize their PCI scope and simplify their card processing as much as possible.  They have standardized processes.  They understand that PCI compliance improves their organization’s security.  And not just for the security of cardholder data but for the security of all sensitive information and the whole organization.  Their investments in PCI compliance have paid off (sometime in spades) as they simplified their operations and got rid of sensitive information that they have no longer deemed necessary to retain.

A lot of organizations in this stage have integrated some or all of the PCI DSS requirements into their everyday operations.  As a result, PCI compliance is a daily affair, not the once a year fire drill that it is for most organizations.

These organizations are not perfect by any sense of the word.  But they are a level or more above other organizations and that is all it takes.  Because information security is no different than those movies that show a herd of animals being chased by a lion or tiger.  To survive, you just have to make sure that you are not one of the weakest animals in the pack.  Or as a friend of mine has said for years, “My security program does not have to be the best, just better than yours.”

10
Apr
17

MFA – It Is All In The Implementation

I have been challenged over the last few weeks over requirement 8.3.1 along with the implications of the Council’s latest Information Supplement on multi-factor authentication (MFA).  Requirement 8.3.1 does not go into effect until February 1, 2018, but there are a lot of organizations trying to get a jump on it.  As a result I am hearing from QSAS that they are getting more and more questions and scenarios to see if they are PCI compliant.

As a reminder, requirement 8.3.1 states:

“Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.”

The most common and biggest challenge has come from organizations that have implemented MFA across their entire network and therefore believe that they are automatically in compliance with 8.3.1.

Not so fast.  The guidance for 8.3.1 states:

“If the CDE is segmented from the rest of the entity’s network, an administrator would need to use multi-factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication can be implemented at network level or at system/application level; it does not have to be both. If the administrator uses MFA when logging into the CDE network, they do not also need to use MFA to log into a particular system or application within the CDE.”

According to this guidance, it is the cardholder data environment (CDE) that is the border for the MFA, not the network as a whole.  So while an organization might have implemented MFA as part of their general security, having MFA for the entire network does not meet the requirement of 8.3.1.

We need to remember what drove the development of requirement 8.3.1 was a lesson learned from the Target and similar breaches.  In all of these breaches, system administrators were spear phished allowing the attackers to access the CDE in one way or another.  Requirement 8.3.1 minimizes this threat by requiring MFA to gain access to the CDE.  So even if an attacker obtains an administrator’s credentials or compromises an administrator’s system, that fact in and of itself would not compromise the CDE.

This is why the guidance for 8.3.1 puts the MFA border at the CDE.  If you have MFA implemented in order to gain access to your network, how does that stop the threat of phishing?  It does not.  A spear phishing attack against such an MFA implementation defeats the MFA because it has already been applied.  The MFA in this scenario does not stop access to the CDE.

But keep in mind, MFA only minimizes the risk to administrators.  You still need to be vigilant in ensuring that administrator systems remain secure and free of viruses and malware.  As such, it is not unusual to find that organizations are taking more active approaches to securing administrator systems including adding other technologies such as file integrity monitoring, white listing and/or black listing in addition to anti-virus.

But it is not just administrators you need to worry about.  Anyone that has access to bulk cardholder data (CHD) that is stored is also at risk.  As a result, we are starting to see organizations also requiring these users to use MFA to access the CDE as well as having their systems implement enhanced security to ensure they remain uncompromised.

Just some things to think about as you got through your MFA discussions.

02
Apr
17

Business Continuity And PCI

This topic came up this past week in a conversation.  I had to go to the PCI DSS v3.2 and check to make sure what was being discussed was accurate.  The discussion was around requirement 12.10.1 which says:

“Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:

  • Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum

  • Specific incident response procedures

  • Business recovery and continuity procedures

  • Data backup processes

  • Analysis of legal requirements for reporting compromises

  • Coverage and responses of all critical system components

  • Reference or inclusion of incident response procedures from the payment brands.”

The points of the discussion focused on the third and fourth bullets.  Yes, that is right, they are calling out business recovery and continuity procedures and data backup processes.  This caught me a bit flat footed at first.

For those of you that have been involved in or around PCI for a while are probably scratching your heads because the PCI DSS has never truly cared about business continuity unless it was a hot failover solution.  The Council has even said so much at various Community Meetings over the years when business continuity and disaster recovery have come up as question topics.

So, what is the deal?

Well, the guidance provided for 12.10.1 sure does not give you a clue as it only says:

“The incident response plan should be thorough and contain all the key elements to allow your company to respond effectively in the event of a breach that could impact cardholder data.”

And the Report On Compliance (ROC) is still only asking for the name of the QSA that will attest to the incident response plan including these items.

Is the PCI DSS now interested in business continuity?

As I said earlier, the PCI DSS was to a degree interested in business continuity if it was always active as with a hot failover scenario and they have always been concerned about data backup processes as witnessed by requirements 9.5, 9.6, 9.7 and 9.8.  The more we discussed these topics the more we believe that the PCI DSS is looking for organizations to ensure continuity of their PCI compliance when they invoke their business continuity plan.

The PCI DSS has only included business continuity (aka disaster recovery) in scope if cardholder data (CHD) is actively involved.  This happens when organizations have hot recovery capabilities in their disaster recovery data center or are replicating data (that includes CHD) in real time to a disaster recovery site.  Otherwise, the disaster recovery site is not in scope for the PCI assessment.  As a result, most organizations push back on including their disaster recovery sites in their PCI assessments if they are cold or warm sites with no CHD involved.

However, here is the rub with that approach.  Under the PCI DSS and the card brand agreements, the moment that any disaster recovery site becomes active because of a disaster, it is required to be PCI compliant.  There is no grace period.  None.

So, if a disaster recovery site has never been assessed for PCI compliance, how does an organization know it will be compliant?  They do not.  There could be significant PCI compliance issues not just with the site, but with the emergency business processes as well.  That is why smart organizations periodically assess their disaster recovery sites and processes for PCI compliance so that there are few, if any, PCI compliance surprises when they activate them.

While the PCI DSS is not asking for an assessment of business continuity and data backup processes, the PCI DSS is providing a friendly reminder to organizations that business continuity can become a compliance problem and should be looked at before it creates an issue.




Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

April 2017
M T W T F S S
« Mar   May »
 12
3456789
10111213141516
17181920212223
24252627282930

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,836 other followers