SecurityMetrics

New research: Biggest card security risk is at merchant level

2009-07-27T10:04:00.001-07:00

Malware, counterfeit card fraud and card-not-present fraud are at the top of the list of threats to merchants today, according to a new report from the research firm Aite Group this month. The research report highlighted merchants as the most vulnerable position in the card data security ecosystem.

The report, “Card Data Security: In Search of a Technology Solution,” talked to heads of risk management for North American issuing banks or payment processors to determine what they saw as the biggest card security problems, the responsibilities of stakeholders and possible security solutions that could minimize the risk.

Who is most at risk? The report says 62% of survey respondents said the merchants, followed by acquirers, with 43% of the respondents naming this group as vulnerable or very vulnerable to security breaches. ISOs may have the least to worry about, with only 30% of respondents calling them vulnerable or very vulnerable to security breaches.

Aite’s Nick Holland points out that the promising solution of shifting the industry from magnetic stripe cards to smart cards, also called EMV architecture, may never happen. Holland warns that “with the deeply entrenched magnetic stripe infrastructure in the United States, and the cost and effort involved in transitioning stakeholders to chip and PIN infrastructure,” may preclude a move to more secure EMV architectures.

More info on the report is here.

Aite is also currently offering a survey for C-level technology and operations executives at North American banks to participate in to share their views on IT strategy trends in the banking industry. Click here to participate.

Nearly 90% ‘trying to implement PCI Compliance process’ says report

2009-07-24T12:24:00.001-07:00

A new report out from the Institute of Internal Auditors reveals that nearly 90 percent of companies surveyed are trying to implement a PCI compliance process. The report also says that 56 percent of companies are in compliance with PCI DSS today.

The entire report, “Moving Toward PCI Compliance,” is available here.

As a bonus the report offers some tips for internal auditors to help achieve PCI Compliance from the IT Compliance Institute as well.

Has your third party vendor put you at risk?

2009-06-30T22:37:00.001-07:00

Since 2006, over 70 retailers and payment processors have disclosed breaches that involved tens of millions of credit and debit card numbers, this according to the Privacy Rights Clearinghouse.

As more and more small businesses comply with PCI DSS and are considering their systems' resilience to attack, being hacked by a bad guy is still –as it should be -- of utmost concern in the eyes of most business owners.

But what if your security expert is the one that puts you at risk? Would you know?

A business person runs a business. Regulations like PCI DSS and other security laws are increasingly making business owners responsible for ensuring the integrity of their computer systems and credit card data. While simple processes such as where to store paper credit card data or ensuring systems are locked in an appropriate facility within the business are fairly routine processes for a business owner to address, ensuring that computer systems are not only PCI-compliant but resilient to a hack goes beyond most business owners’ expertise.

Most often a business will engage a 'security expert.' If a new system is required and deployed that could offer ‘improved’ security, most businesses rely on their POS (Point of Sale) vendor to set up a system in a secure manner – an arguably reasonable expectation.

Not so fast. Our forensics team was recently called in to perform an investigation for a small business owner in the Southeastern US that was hacked. In reviewing the log files and performing our investigation we uncovered a very disturbing fact -- the third party vendor had left behind information on the system that detailed several other businesses in the region that were also under contract to that same vendor including passwords and computer configuration data.

It was, in this case, a POS vendor and not a security vendor that had performed the system’s security setup. Attackers then used this information to access the other businesses named in the documentation left behind by the vendor. In each instance it was found that the business was set-up uniformly and exactly as each of the other businesses were set up, thereby making them all insecure. Additionally, each business had been set up to utilize the exact same default passwords for each location, giving the attacker immediate administrative access to over 40 additional businesses.

There are reasons to be concerned about leaving your data security in someone else’s' hands. Your customers entrust your business to protect the information they share with you. Breaching that trust could mean less business and could be far more damaging than monetary consequences like paying a fine for a security breach or a noncompliance fee to Visa.

Picking your security vendor, and learning how your business can be more secure working with third party security or other vendor should be a critical decision for any business owner.

-Dave Ellis, Director, Forensic Investigations

MasterCard’s changes could affect 2000 merchants

2009-06-30T11:07:00.001-07:00

SearchSecurity’s Marcia Savage put together a great summary and industry response to increased PCI requirements announced last week by MasterCard.

The new rules, she reports, will mean that merchants processing between one and six million transactions annually will, or Level 2 merchants, will be required to use a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010.

MasterCard estimates that “fewer than 2,000 merchants will be directly affected by the revised rules” according to the report.

Just What Is the Cost of a Breach?

2009-06-26T23:59:00.001-07:00

What is the cost of a breach to a retailer?

We get asked this question all the time. Putting a number on this is exceptionally hard with so many variables coming into play. We expect that it is “a lot” -- as TJX companies found out this week.

The company, which owns large volume discount retailers T.J. Maxx and Marshall stores, was the victim of perhaps the largest credit card breach disclosed by a retailer to date. This week it was announced that that have settled lawsuits with over 41 states in a deal. Back in January 2007 TJX disclosed that its systems were hacked over a period of 18 months without security detecting the theft.

Under the terms of the settlement, the company has agreed to pay $9.75 million according to multiple reports.

SearchSecurity has a complete recap of the settlement here.

MasterCard Requires ‘Authorized’ QSA for Level 1 & 2 Merchants

2009-06-23T17:28:00.001-07:00

MasterCard announced a new requirement for Level 1 and Level 2 Merchants, mandating these two groups must use an authorized Qualified Security Assessor (QSA) to conduct a PCI DSS security assessment.

The requirement has a "due date" of December 31, 2010, meaning that each Level 1 and 2 merchant must submit proof of compliance filed by an authorized QSA by that date versus the date you would START working with a QSA.

Based on our experience validating PCI DSS compliance for Level 1 and Level 2 merchants over the past 5 years, achieving full compliance is not something to put off until sometime in 2010. Many large merchants required as much as 18+ months to get compliant and not one was accomplished in less than 10 months. Many of these merchants had already conducted their own internal PCI audit or completed SAQ's and had felt pretty good about their compliance program.

Larger merchants should begin a program with an authorized QSA as soon as possible, no matter how compliant you ‘think’ you are. If network and processes are in good shape, it could work out that you are done "early" for the MasterCard deadline – though chances are, you will need the time to prepare for a compliant PCI-DSS assessment.

Level 1 merchants are defined as those that store, transmit, or process more than 6 million MasterCard transactions/accounts per year and Level 2 are those that handle between 1 million and 6 million annually.

-Gary

Who oversees payment security?

2009-06-17T15:00:00.001-07:00

A recent Visa-Economist poll of global executives was released at Visa’s Summit this Spring. The report demonstrated that over 75 percent said a C-level executive is now responsible for payment security within their company, which is a great indicator of data security being given more prominence in business.

Moving the charter of safeguarding data to the C-Suite is a good start but thanks to investment and innovative security solutions, “fraud rates in the credit card industry remain near all-time lows,” said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc.

Richey goes on to note the real progress and inroads PCI has made, pointing to 90% of large U.S. merchants now validating compliance and goes into details about the Heartland breach, how a vigilant PCI can contribute to overall data security and the state of data security in credit cards in her talk.

Good read…

Nokia mobile phone (circa-2003) gains popularity as online banking hack

2009-06-12T01:08:00.001-07:00

Investigators have figured out why there has been a surge in sales of a particular entry-level Nokia mobile phone circa 2003 -- it at allows users to hack into bank accounts.

Turns out that authorities have known European gangs have been searching out the phone for some time but this is the first reported duplication of the online banking hack being used to gain access to victim's bank accounts. Specific models of the Nokia 1100, from one specific factory according to the report, have been indicated in the hack. Just last month Nokia said that they had no idea why the uptick in recent demand and interest in the older model device.

To store or not to store, the top PCI Question

2009-05-21T10:43:00.001-07:00

One of the most frequent questions we get asked by merchants is where they should store their cardholder data. The answer to this question is a resounding - you shouldn't store any cardholder data!

In reality that is not entirely possible for all merchants. We recommend that merchants should not store cardholder data unless it is absolutely essential to do business. In the word of PCI DSS words it: "3.1 Keep cardholder data storage to a minimum".

Thieves cannot steal what is not there. Before a merchant gets hacked they often feel it is very important to store card data. Once a merchant experiences an attack, we have seen that mindset shift into one that tries to find a way to eliminate card data from their system entirely.

For Point-of-Sale transactions where the credit card is physically present, it best to adopt real-time authorization and settlement. By doing so, the merchant can push the card data completely off of their systems. They never store it in the first place. If the merchant is storing the card number and batching out once a day, the merchant is required to comply with SAQ-D.

If batching is required, try to set up a system where a compliant processing solution captures all card data upon authorization, returning only an authorization code to the merchant. This approach ensures that cardholder data is removed entirely from the system at the time of authorization. The merchant later batches using the authorization codes instead of the cardholder data, eliminating the risk entirely.

For recurring billing transactions merchants will need to store customer card data, billing information, and other sensitive data. To reduce risk in this situation the merchant must never, under any circumstances, store the security code (CVV2, CVV, etc.) following the very first authorization. There are no exceptions to this requirement. PCI DSS says "Sensitive authentication data must not be stored after authorization (even if encrypted)."

Requirement 3 details the entire cardholder data storage rules of PCI DSS.

-Lee, Strategic Accounts

Businesses now "expect" data security breaches

2008-02-04T09:05:00.000-08:00

Symantec's second annual IT risk management survey indicates that 59% of businesses concede that "a major loss of customer information is expected once every five years" and on-average each breach "exposes the data of more than 785,000 customers."

More. Of those surveyed 69 percent said they believe they will encounter at least one minor incident per month, with 63 percent predicting a major IT failure at least once a year.

The survey also pointed to compliance, and ensuring you are operating in accordance with regulations like PCI DSS, are continuing to drive IT security priorities. In fact, "IT availability management and compliance projects are just as important, if not more important, than traditional IT security efforts." Survey participants reported compliance (68 percent), performance (70 percent), and availability (78 percent) as serious or critical risks factors in the data center.

You can sign up and view the survey here.

Visa Says 2007 Saw 'Significant' PCI Progress Among US Retailers

2008-01-24T17:35:00.000-08:00

Visa released a statement this week about the state of PCI compliance. They say that "as of the end of 2007, more than three-fourths of the largest U.S. merchants (those processing six million or more Visa transactions annually) and nearly two-thirds of medium-sized merchants (those processing between one million and six million Visa transactions annually) have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa's U.S. transaction volume."

The numbers? Visa points to a jump from "12 percent in March 2006 to 77 percent" by year end among large vendors and says medium-sized merchants, "compliance grew from 15 percent in December 2006 to 62 percent."

The company is calling for complete compliance among its entire merchant base -- all the way down to small merchants, or Level 4s. In fact, Visa says "100 percent of active U.S. acquirers have submitted plans to Visa and are in the process of implementing their security programs."

Could PCI Could Stem Voter Fraud?

2007-12-21T13:17:00.000-08:00

It could happen if a report out of Ohio is any indication. Came upon this interesting post over at the TreasuryInstitute's blog on yet another use for PCI standards. They point to an interesting study (download here) that used PCI DSS as a benchmark to assess the integrity of voting systems in Ohio.

A team of computer scientists were commissioned by the Ohio Secretary of State to "assess the reliability, accessibility, and security of electronic voting systems used in Ohio." The team compared systems against a common baseline of information security practices -- in this case PCI DSS -- to determine the security risk in voting systems used in the state. The report notes that "The framework was originally designed to be applied to credit card processing systems, but easily extends itself to any form or critical data." It makes sense.

Ohio has long been considered a state crucial in the outcome of past presidential elections and voter fraud in that state has been a hot topic As a result of the security assessment, Jennifer Brunner, Ohio’s secretary of state, has said that voting system in Ohio is insecure and is proposing to replace all the states’ voting machines with optical-scan machines for a more secure and clear audit trail.

The TJMaxx Lesson

2007-12-05T13:14:00.000-08:00

Visa has struck a deal with TJMaxx to settle what may be the biggest breach in customer data in history. TJMaxx has offered $40.9 M US as a settlement over their security incident and has until 2009 to be fully compliant with PCI DSS according to published reports.

The TJMaxx incident was certainly bad for consumer. Some estimates claim that close to 100 million customer accounts were compromised, while TJMaxx publicly acknowledged 45 million customer accounts were compromised in a statement last year. In an effort to prevent future issues, legislation was proposed in several states to compel businesses to secure customer data. Proposals were drafted in California, Illinois and a few other states.

Ironically, the "TJMaxx lesson" has been good for Level 1 retailers and the security industry providing PCI compliance solutions. The discount retailer had some unfortunate timing on their disclosure, and as the first big breach of customer data to gain broad exposure it quickly became the litmus test for other Level 1s. It is a great reference for what is compliant and what is not.

Under the recently announced deal, it seems that Visa will continue to work with TJMaxx and has agreed to reduce some fines. Some critics have said that the company has fared well throughout this ordeal and point to strong sales. But fines are just one of the costs that TJMaxx or any retailer caught in this situation also endure. Damage to reputation and other indirect costs are immeasurable.

An interesting part of the settement agreement between Visa and TJMaxx requires the merchant to promote PCI DSS and raise awareness of the risk of noncompliance for the next two years. Talk about being the poster child for PCI DSS Compliance!

December 31st marks the next major deadline in PCI Compliance as level 2 merchants must be in compliance. Level 2 merchants should heed the "TJMaxx lesson" and make sure they can prove their comformance. Being the first to fail is not a good thing we have learned. And retailers have a bad case of PCI Confusion according to eWeek's Evan Shuman.

To help minimize any confusion today we started offering a quick start Site Certification program priced from $139.99 US for a single IP address for the first year to help Level 2s (and others!) meet the upcoming deadline or just to reduce overall risks associated with payment card processing. It's usually $699, so that is an 80% savings to jumpstart your PCI Compliance program.

Call us. 801 705 5665. We love to talk about PCI :-) We can handle all of your PCI issues -- from forensics after an attack to scanning to auditing to designing a strategy tailored to your needs. We've seen it all. Really.