header
header
header

Summing It Up

Keeping you ahead of the curve with timely news & updates.


The 6 Biggest Stumbling Blocks to a Successful PCI Audit

Is Your Organization PCI Compliant?

Author: Alex Douds

PCI compliancePCI DSS, which stands for Payment Card Industry Data Security Standard, is a set of 12 specific requirements that cover six different goals. It's prescriptive; providing guidance for organizations to become secure and protect their customer’s credit card data in accordance with PCI DSS. It's more about security than compliance. The goals cover topics such as, build and maintain a secure network, protect card holder data, and regularly monitor and test the networks.

Most organizations think they are doing everything necessary to be PCI compliant and are adequately prepared, whether for their first PCI audit or their fifth PCI audit. But are they really? A PCI audit, usually performed by a Qualified Security Assessor (QSA), is trained by the PCI Counsel and licensed to conduct these audits.

PCI security standardsExperienced QSA’s, such as Freed Maxick, know that there are six areas or “stumbling blocks” around which organizations need to be particularly vigilant in order to design or maintain the proper controls to achieve and maintain PCI Compliance. We’ll start with the least common problem and work our way to number one on the hit list!

So What Does Your Business Need To Watch For?

(6) Lack of Security Awareness and Training: The ugly truth about data breaches is that it’s not so much a matter of if you’ll be a target, but when. The 2008 Study on the Uncertainty of Data Breach Detection in the U.S. by the Ponemon Institute concluded that approximately 80 percent of businesses in this country have been hit at least once by a data breach. According to the Ponemon Institute, there are three main causes for a data breach: personal negligence, which accounts for 40 percent of data breach cases; system glitches (36%) and malicious/criminal attacks (24%). Small and mid-sized merchants often lack the awareness, security background and resources that larger businesses and corporations can muster to execute an effective security awareness training program to combat these threats. Annual and on-going Security Awareness Training is critical to meeting the requirements of the PCI Data Security Standards (PCI DSS).

(5) Not Monitoring Computer, and other systems, for Intrusions and Anomalies: Software and hardware exists to help businesses track normal functionality and anomalies within their computer systems; detecting computer intrusions and misuse by monitoring system activity. In order to determine what “attack traffic” is, the system must be taught to recognize normal system activity in order to minimize false positives. In addition, you must place intrusion detection at both the perimeter and critical points, to monitor all traffic within your PCI environment. Many organizations neglect to monitor critical points within their PCI environment, resulting in problems with their PCI compliance. The Freed Maxick technology consulting team can help your organization identify what monitoring systems need to be put into place and provide consulting, as QSA’s, to ensure you meet the intent of this standard.

(4) Not Encrypting Data: Encrypted data is unreadable and unusable to a system intruder without the proper encryption keys. Many businesses make the mistake of storing cardholder data when it’s not absolutely necessary, or storing card holder data without proper encryption. Other “don’ts” include- not storing the three digit validation code on the back of a holder’s card. Do not have PED terminals print out personally identifiable payment card data (printouts should be masked). Do not store payment card data in payment card terminals. Do not permit any unauthorized people access to stored card holder data.

Merchants should develop data retention and storage policies that strictly limit storage amount and retention time for only what is required for business, legal, and regulatory purposes. You should also understand where your payment card data flows for the entire transaction process. Use strong cryptography to render unreadable cardholder data that you store. You can verify payment application compliance through the Payment Application Data Security Standard.

(3) Storing Too Much Data:  Many clients have questions around what card data can and cannot be stored. More specifically, can CCV and CCV2 card information be stored? The simple answer is “no.” According to PCI DSS requirement 3.2, the storage of sensitive authentication data after authorization is strictly prohibited. Even if the data is encrypted, it is still not allowed. The requirement goes into more detail, stating that you should not store the card-verification code, or the three or four digit codes on the back of the payment card, which is used to verify card-not-present transactions. When businesses are unaware of how much data their systems are storing they are less likely to be PCI compliant.

(2) Not Understanding the Flow of Data: A key to PCI Compliance is for the organization and the organizations QSA to understand the flow of data, including what card data is stored and encrypted. In order to truly understand what data should and shouldn’t be stored, organizations should understand the flow of data; where it goes, how it gets there, what wireless networks are connected to cardholder data, how it’s processed, and how it’s transmitted. Network documentation is extremely valuable to a QSA. Documenting card data flow on top of the network diagram can serve to be invaluable. Documenting this data flow on a network diagram can help a company come to a unified and clear understanding of where card data is stored, processed or transmitted within their environment as well as identify all supporting and connected systems and devices.

The number one problem on our PCI Compliance hit list is……

(1)Not Appropriately Segmenting Network Infrastructure that processes, transmits, or stores PCI Data: A critical step for any organization to ensure that they minimize the heavy cost of PCI Compliance is network segmentation of the PCI network or card holder data environment (CDE) from the rest of the organization’s IT infrastructure. Segmentation follows the commonly used strategy of minimization: store as little sensitive data in as few locations as possible and allow access to those who absolutely need it. The PCI DSS encourages all organizations to segment their networks “through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network.” Like most standards, it provides a “high level” goal while still offering flexibility in implementation. The relevant PCI DSS section reads: “At a high level adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as:  a given network’s configuration, the technologies deployed, and other controls that may be implemented.”

All organizations should work with a QSA to verify that they have proper PCI network segmentation in place prior to their initial PCI audit or anytime a significant change is made to an existing PCI segmented network. Network segmentation gives the organization greater security and monitoring by reducing the scope of their CDE to a limited area on the network infrastructure. Even more importantly, it can drastically reduce the scope of the PCI audit and therefore increase an organization’s likelihood of having a successful PCI audit.

Freed Maxick is here to help!

PCIAt Freed Maxick, we understand you face unique challenges in assessing the effectiveness of your technology. With this in mind, we offer a customized, flexible approach that’s based on your needs. We can give you senior-level attention and personalized service. Our technology consultants have experience across a number of industries that often yield opportunities to increase productivity and reduce costs. And if you contact us today we can offer a reduction in price on a quarterly self assessment scan!

View full article

Merchant Eligibility for the PCI DSS Self-Assessment Questionnaire Process

Which SAQ is Right for Your Situation?

Author: Alex Douds

PCI complianceThe PCI Self-Assessment Questionnaire (SAQ) is a list of questions used to assess compliance with the requirements of the PCI DSS. The SAQ process is basically a validation tool for merchants and service providers that are not required to do an on-site data security assessment. Any oversight in the SAQ process puts the entire PCI compliance effort at risk, so having a QSA assist or consult on a self assessment is a common PCI risk mitigation strategy used by many small to mid-size merchants and service providers. PCI DSS standards can be very complex and difficult to negotiate for any organization, but particularly for smaller organizations with limited IT staff and resources. Even when a QSA review is not mandatory, organizations often seek the advice of a QSA in order to ensure that everything in the SAQ has been completed correctly.

PCI security standardsThere are multiple versions (A, B, C, D) of the PCI DSS SAQ to meet various business situations. The most comprehensive of these – Version D - .for merchants who store cardholder data on their computer systems – requires answers to over 220 questions

A brief overview follows:

 

SAQ VALIDATION TYPE

DESCRIPTION

SAQ

1

Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

A

2

Imprint-only merchants with no electronic cardholder data storage

B

3

Merchants with web based virtual terminals, no electronic cardholder data storage

C-VT

4

Merchants with POS systems connected to the Internet, no electronic cardholder data storage

C

5

All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

D

PCI

 

If you are a merchant, it’s important for you to understand whether or not you need to conduct on a site assessment in order to get into PCI DSS compliance, or whether you can use a self evaluation process. If you can self evaluate, it’s then important to understand which SAQ process is the right one for your situation.

Need more information about how you can get in compliance with PCI Data Security Standards or the compliance process that’s right for you? Contact us here. Or call Larry Hessney at 585-360-1480.

View full article

Why Should Merchants Comply with PCI Security Standards?

PCI Data Security is Not the Headache You Might Expect

Author: Alex Douds

PCIWhy should you, as a merchant, comply with the PCI Security Standards? At first glance, especially if you are a smaller organization, it may seem like a lot of effort, and confusing to boot. However, compliance is becoming increasingly important and it may not be the headache you expected.

Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences. Here are some reasons why.

Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information:

  • Trust means your customers have confidence in doing business with you.
  • Confident customers are more likely to be repeat customers, and to recommend you to others.

Compliance improves your reputation with acquirers and pay­ment brands - the partners you need in order to do business.

Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future:

  • PCI ComplianceAs data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats.
  • The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals. 
  • When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise.

Compliance has indirect benefits as well:

  • PCI Security StandardsThrough your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPAA, SOX, etc.
  • You’ll have a basis for a corporate security strategy.
  • You will likely identify ways to improve the efficiency of your IT infrastructure.

But if you are not compliant, it could be disastrous:

  • Compromised data negatively affects consumers, merchants, and financial institutions.
  • Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future.
  • Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company.
  • Possible negative consequences also include:
    • Lawsuits
    • Insurance claims
    • Cancelled accounts
    • Payment card issuer fines
    • Government fines

Need more information about how you can get in compliance with PCI Data Security Standards or the compliance process that’s right for you? Contact us here. Or call Larry Hessney at 585-360-1480.

View full article