Has your third party vendor put you at risk?

Since 2006, over 70 retailers and payment processors have disclosed breaches that involved tens of millions of credit and debit card numbers, this according to the Privacy Rights Clearinghouse.

As more and more small businesses comply with PCI DSS and are considering their systems' resilience to attack, being hacked by a bad guy is still –as it should be -- of utmost concern in the eyes of most business owners.

But what if your security expert is the one that puts you at risk? Would you know?

A business person runs a business. Regulations like PCI DSS and other security laws are increasingly making business owners responsible for ensuring the integrity of their computer systems and credit card data. While simple processes such as where to store paper credit card data or ensuring systems are locked in an appropriate facility within the business are fairly routine processes for a business owner to address, ensuring that computer systems are not only PCI-compliant but resilient to a hack goes beyond most business owners’ expertise.

Most often a business will engage a 'security expert.' If a new system is required and deployed that could offer ‘improved’ security, most businesses rely on their POS (Point of Sale) vendor to set up a system in a secure manner – an arguably reasonable expectation.

Not so fast. Our forensics team was recently called in to perform an investigation for a small business owner in the Southeastern US that was hacked. In reviewing the log files and performing our investigation we uncovered a very disturbing fact -- the third party vendor had left behind information on the system that detailed several other businesses in the region that were also under contract to that same vendor including passwords and computer configuration data.

It was, in this case, a POS vendor and not a security vendor that had performed the system’s security setup. Attackers then used this information to access the other businesses named in the documentation left behind by the vendor. In each instance it was found that the business was set-up uniformly and exactly as  each of the other businesses were set up, thereby making them all insecure. Additionally, each business had been set up to utilize the exact same default passwords for each location, giving the attacker immediate administrative access to over 40 additional businesses.

There are reasons to be concerned about leaving your data security in someone else’s' hands. Your customers entrust your business to protect the information they share with you. Breaching that trust could mean less business and could be far more damaging than monetary consequences like paying a fine for a security breach or a noncompliance fee to Visa.

Picking your security vendor, and learning how your business can be more secure working with third party security or other vendor should be a critical decision for any business owner.

-Dave Ellis, Director, Forensic Investigations

MasterCard’s changes could affect 2000 merchants

SearchSecurity’s Marcia Savage put together a great summary and industry response to increased PCI requirements announced last week by MasterCard.

The new rules, she reports, will mean that merchants processing between one and six million transactions annually will, or Level 2 merchants, will be required to use a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010.

MasterCard estimates that “fewer than 2,000 merchants will be directly affected by the revised rules” according to the report.

Just What Is the Cost of a Breach?

What is the cost of a breach to a retailer?

We get  asked this question all the time. Putting a number on this is exceptionally hard with so many variables coming into play. We expect that it is “a lot”  -- as TJX companies found out this week.

The company, which owns large volume discount retailers T.J. Maxx and Marshall stores, was the victim of perhaps the largest credit card breach disclosed by a retailer to date. This week it was announced that that have settled lawsuits with over 41 states in a deal. Back in January 2007 TJX disclosed that its systems were hacked over a period of 18 months without security detecting the theft.

Under the terms of the settlement, the company has agreed to pay $9.75 million according to multiple reports.

SearchSecurity has a complete recap of the settlement here.

MasterCard Requires ‘Authorized’ QSA for Level 1 & 2 Merchants

MasterCard announced a new requirement for Level 1 and Level 2 Merchants, mandating these two groups must use an authorized Qualified Security Assessor (QSA) to conduct a PCI DSS security assessment. 

The requirement has a "due date" of December 31, 2010, meaning that each Level 1 and 2 merchant must submit proof of compliance filed by an authorized QSA by that date versus the date you would START working with a QSA. 

Based on our experience validating PCI DSS compliance for Level 1 and Level 2 merchants over the past 5 years, achieving full compliance is not something to put off until sometime in 2010.  Many large merchants required as much as 18+ months to get compliant and not one was accomplished in less than 10 months.  Many of these merchants had already conducted their own internal PCI audit or completed SAQ's and had felt pretty good about their compliance program. 

Larger merchants should begin a program with an authorized QSA as soon as possible, no matter how compliant you ‘think’ you are.  If network and processes are in good shape, it could work out that you are done "early" for the MasterCard deadline – though chances are,  you will need the time to prepare for a compliant PCI-DSS assessment.

Level 1 merchants are defined as those that store, transmit, or process more than 6 million MasterCard transactions/accounts per year and Level 2 are those that handle between 1 million and 6 million annually.

-Gary

Who oversees payment security?

A recent Visa-Economist poll of global executives was released at Visa’s Summit this Spring. The report demonstrated that over 75 percent said a C-level executive is now responsible for payment security within their company, which is a great indicator of data security being given more prominence in business.

Moving the charter of safeguarding data to the C-Suite is a good start but thanks to investment and innovative security solutions, “fraud rates in the credit card industry remain near all-time lows,” said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc.

Richey goes on to note the real progress and inroads PCI has made, pointing to 90% of large U.S. merchants now validating compliance and goes into details about the Heartland breach, how a vigilant PCI can contribute to overall data security and the state of data security in credit cards in her talk.

Good read…

Nokia mobile phone (circa-2003) gains popularity as online banking hack

Investigators have figured out why there has been a surge in sales of a particular entry-level Nokia mobile phone circa 2003 -- it at allows users to hack into bank accounts.

Turns out that authorities have known European gangs have been searching out the phone for some time but this is the first reported duplication of the online banking hack being used to gain access to victim's bank accounts. Specific models of the Nokia 1100, from one specific factory according to the report, have been indicated in the hack. Just last month Nokia said that they had no idea why the uptick in recent demand and interest in the older model device.

To store or not to store, the top PCI Question

One of the most frequent questions we get asked by merchants is where they should store their cardholder data. The answer to this question is a resounding - you shouldn't store any cardholder data!

In reality that is not entirely possible for all merchants. We recommend that merchants should not store cardholder data unless it is absolutely essential to do business. In the word of PCI DSS words it: "3.1 Keep cardholder data storage to a minimum". 

Thieves cannot steal what is not there.  Before a merchant gets hacked they often feel it is very important to store card data. Once a merchant experiences an attack, we have seen that mindset shift into one that tries to find a way to eliminate card data from their system entirely.

For Point-of-Sale transactions where the credit card is physically present, it best to adopt real-time authorization and settlement.  By doing so, the merchant can push the card data completely off of their systems. They never store it in the first place. If the merchant is storing the card number and batching out once a day, the merchant is required to comply with SAQ-D.

If batching is required, try to set up a system where a compliant processing solution captures all card data upon authorization, returning only an authorization code to the merchant.  This approach ensures that cardholder data is removed entirely from the system at the time of authorization. The merchant later batches using the authorization codes instead of the cardholder data, eliminating the risk entirely.

For recurring billing transactions merchants will need to store customer card data, billing information, and other sensitive data. To reduce risk in this situation the merchant must never, under any circumstances, store the security code (CVV2, CVV, etc.) following the very first authorization.  There are no exceptions to this requirement. PCI DSS says "Sensitive authentication data must not be stored after authorization (even if encrypted)." 

Requirement 3 details the entire cardholder data storage rules of PCI DSS.

-Lee, Strategic Accounts