2011 PCI Breach Research

There is a very good article regarding research into 2011 breach statistics by Trustwave over at InfoWorld Security Central.  A great source for much IT & Security information, by the way.  According to the article, hackers infiltrated 312 businesses making off with customer payment-card information.  Their primary access point was through 3rd-party vendor remote-access apps, or VPNs setup for remote systems maintenance.  Seventy six percent!  These external ingress paths introduced security deficiencies that were exploited by attackers.

The vast majority of the 312 companies were retailers, restaurants or hotels, and they came to Trustwave for incident response help after one of the payment-card organizations traced stolen cards back to their businesses, demanding a forensics investigation within a matter of days.  Only 16% of the 312 companies detected the breach on their own!

The businesses hit claimed to be compliant with Payment Card Industry (PCI) security standards, when in reality there were gaps.  The remote-access provisions were poorly protected by simple, re-used, shared, and seldom changed passwords.

I will leave the most scary statistics, how long the attackers were able to maintain their ownership of the networks in these cases, for you to seek out yourself on the second page of the article.  It is not a happy number!

The lesson to take away from this article is, PCI compliance is the bare minimum that an organization should do, and DOES NOT equate to comprehensive security.  A PCI-DSS pass score does not ensure actual compliance either.  It is a good starting point to ensure that the bare minimum, common sense, security controls are implemented at a single point of time, but good security practices must spread out from the center.  If your security efforts don’t include other servers and the workstations that access them AND the Internet, you are not managing security, you are faking it for compliance sake.  Russian roullette with a fully loaded gun.

Subway Sandwich’s $3M Security Lesson

Weak LinkInstead of coming in with guns and robbing the till, criminals can target small businesses, and steal from them digitally, across the planet.  The tools used in the crime are widely available to anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on inexpensive software packages makes them easy pickings. 

In a scheme dating back at least to 2008, ArsTechnica reports a band of Romanian hackers has been stealing payment card data from the point-of-sale (POS) systems of hundreds of small retail businesses, including over 150 Subway restaurant franchises, ringing up over $3 million in fraudulent charges.  In an indictment unsealed in a New Hampshire court, the hackers are alleged to have gathered the credit and debit card data from over 80,000 victims. 

The methods used by the attackers were not sophisticated.  The compromised systems were located through an IP addresses scan for any systems with a specific type of remote desktop access software running (port scan).  The software was either unprotected or used poor passwords as protection, and provided back door access to the POS systems. Continue reading

PCI Awareness Training

The PCI Security Standards Council has announced the availability of online official PCI Awareness training.  The cost of the course is currently $495.  This is a four hour introductory level course, designed for anyone interested in PCI, providing an overview of PCI security basics.  The training offers the opportunity for anyone to learn about PCI DSS, its impact and benefits, and the importance of PCI compliance, in a self-paced course

This program is intended to help stakeholders better understand and implement the standards, covering the following topics:

  • What is PCI and what does it mean to meet compliance with the PCI Data Security Standard.
  • Key roles and responsibilities in the compliance process.
  • How credit card brands differ in their requirements for PCI reporting and validation.
  • Overview of the transaction process, including infrastructure used to accept payment cards, and communicate with the verification and payment facilities.
  • Real world examples of PCI challenges and successes.

The new online format allows access to the knowledge base of official PCI trainers from the comfort of your home or office.  Organizations looking to educate their employees across business functions about their roles in maintaining PCI compliance should definitely take advantage of this course.  The course also offers up to 4 continuing professional education credits for security staff development.

The PCI Data Security Standard requires organizations to provide security awareness training annually to staff.  This official PCI Awareness course is an opportunity to begin meeting that commitment.

To register for PCI Awareness online, please click here, or visit the PCI DSS web site.

Personally, I think that this sort of training should be delivered free of charge to encourage adoption and improve compliance, or at least at a significantly lower price point to gain deep organizational penetration, but I don’t run the world…  Maybe its time to start putting out the “UnOfficial PCI Awareness” training.  There is a PCI course offered by IT-Governance for $75, and Clearent claims to offer a free awareness program.

New PCI Supplement – Protecting Telephone-Based Card Data

Today, customers can swipe credit cards in POS readers, they can use e-commerce sites online, or quite commonly use the telephone to complete payment transactions.  New guidance has just been issued by the PCI Security Standards Council aimed at securing stored payment card data collected via call centers and over-the-phone payments.  This directive is highly necessary and very timely.  Card data collected over the telephone or by voice-based payment systems are often overlooked as a vulnerable payments channel and have become a targets for criminals.

The PCI Council’s Protecting Telephone-Based Payment Card Data information supplement provides actionable recommendations for merchants and service providers to process payment card data over the phone in a secure manner.  What makes phone-based payments unique and more vulnerable than other payment processing methods is the regulatory requirement to record the calls, and the “card-not-present” capture and storage of sensitive CVV or CVC authentication data.  It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.  These authentication codes should not be stored in any manner.  Full primary account numbers (PANs) cannot be kept without additional protective controls in place.  PAN data should be encrypted if it must be stored.  Most payments made to call centers or over the phone with service reps are recorded.  Here’s a little PCI compliance secret for you.       ‘If you don’t need it, don’t store it.’

In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space.  Until now, these phone-based transaction records have fallen outside the scope of the PCI standards.  The response to those merchants concerned enough with compliance to have asked, have heard the response from the PCI  council; If there is no way to extract the card data from the audio, PCI rules do not apply.  With the emergence and general acceptance of digitally recorded files for call recording, these records can now be easily be searched and extracted.  More merchants are using audio recordings, but are not encrypting or destroying the data.

Key points:

  • Explains how the PCI-DSS applies to card holder data stored in call recording systems.
  • Recommendations for assessing risk and applicable controls of call center operations.
  • Specific guidance around storage of sensitive authentication data, which includes suggested methods to meet PCI-DSS requirement 3.2.
  • Guidance on some of the key considerations faced by call centers when implementing PCI-DSS requirements.

Do More Than The PCI Minimum

No matter what type of business you run, from brick and mortar to virtual online, if you accept credit cards, you MUST keep the information that you gather secure.  This is more than just something that you have to do to remain compliant with The Payment Card Industry Data Security Standard (PCI DSS). 

  This is something that you OWE to your customers, regardless of regulatory and industry requirements. 

It is your responsibility, it is good business practice, and it also makes good sense. 



Credit card fraud and misuse costs businesses billions of dollars annually.  The cost per incident may vary, but can typically include:

  • Loss of income from fraudulent transactions
  • Costs of incident investigation and litigation
  • Costs associated with correcting the cause of the breach
  • Costs associated with auditing for further compromise and hardening against recurrence
  • Costs of reissuing cards to customers
  • Loss of reputation, customer confidence and future business
  • Fines imposed by credit card companies
  • Loss of ability to accept credit cards for payment

How much would your business need to pay out under each of these categories if there is a single breach?  Wouldn’t the costs of doing compliance right the first time balance out with the avoidance of that single breach?  Attackers continue to target banks and larger businesses, but are expanding their efforts to include smaller businesses while maintaining their focus on credit and debit card fraud.  You will spend the money to get it right after that first breach, and may never be able to fully recover your reputation, or to regain the assurance that your network has been returned to a clean and secure state.  Once roaches infest a building, it is very difficult to remove them all.  Once a network is compromised, it is never again completely your own.  The defenders of the network and data need to find every potential weakness, every point of entry, in order to properly defend it.  The attackers need only find one.

Continue reading

Cisco Releases PCI Survey Findings

Cisco has unveiled the results of a survey of 500 IT decision-makers regarding the PCI Data Security Standard (PCI DSS) 5 years after its introduction.   Surprisingly positive, to me it demonstrates the value that increased awareness and applying the foundational basics of information security can have.

 The survey included IT decision-makers involved in PCI-compliance programs from several industries, aiming to gauge adoption, uncover the costs and challenges associated with compliance, and measure adoption of certain technologies to better understand the approaches that organizations are taking to meet the requirements.



Key survey findings

  • 70% of respondents feel their organization is more secure than if PCI compliance were not required.
  • 87% believe PCI requirements are necessary for protecting cardholder data.
  • Retail and financial services respondents both felt comfortable in their likelihood to pass an assessment of their PCI compliance.
  • 67% of respondents anticipate spending on PCI compliance will increase in the next year, indicating positive executive and board buy-in.
  • 60% of respondents suggested that PCI-compliance projects can drive other IT or network security projects.

Top challenges

  • When asked to define specific challenges for implementing the PCI DSS requirements, educating employees on the proper handling of cardholder data was the single most highly recognized problem identified, at 43%.
  • Updating antiquated systems was named by 32% of respondents.
  • Of the 12 PCI requirements, the top 3 issues for achieving or maintaining compliance were;
    • Tracking and monitoring access to network resources and cardholder data (37%),
    • Developing and maintaining secure systems and applications (32% ),
    • Protecting stored cardholder data (30%)

Adherence to PCI

Government fared better than other sectors on PCI assessments, but the vast majority of respondents are making strides in protecting their sensitive cardholder data.

  • 78% passed their previous initial assessment.
  • 85% believe they would currently pass an assessment.
  • 85% of governmental organizations passed their initial assessment.
  • 72% of health care organizations passed.
  • More than 85% of respondents were aware of the clarifications and recommendations in the newly announced PCI DSS 2.0 standards.


Cisco Compacts Catalyst Switches

This is just too cool.  I originally pased over this article from ComputerWorld today, thinking Cisco had just shrunk the size of their unwieldly sized box again.  Good for them.  Seems this is a little more than Cisco on Weight Watchers.  Cisco is looking to pursue the SMB and low-end commodity switch market, competing with HP, Adtran, Netgear, D-Link, and others.  A Billion Dollar market!

There will be five models available in March, sporting 8 to 12 Fast Ethernet and Gigabit Ethernet ports, and 2 Gigabit Ethernet uplinks.  They will also include hardware acceleration for IPv6, IP multicast and access control lists.  The switches feature Power over Ethernet (PoE) pass-through, allowing them to draw 30 watts/port from PoE switches in the closet or the core, eliminating the requirement for dedicated power supplies or extra outlets.  They can be deployed up to 100 meters away from the wiring closet, and are fanless, meaning that they can be placed on or mounted under desktops and countertops, or even on a wall in your favorite home-office (note to loving wife).

Freak-me-out security features abound!   The C-Series switches support Cisco’s TrustSec technology, which determines  the role of users and devices in the network before granting resource access through defined policies.  These switches are also PCI compliant for regulatory compliance of payment transactions.  They encrypt all packets between the switch and the end device, blocking malicious snoops from eavesdropping between two endpoints.  Optional security lock and cable guards to prevent theft of the switch and unauthorized access to the cables area also available. 

Tools for simplified configuration and management, and QoS implementation for IP telephony and video are available, but I’m not sure if they are built-in or add-ons.  The switches can also be remotely managed, and support Cisco’s EnergyWise software for monitoring and managing energy consumption of attached devices.  EnergyWise turns off or powers down devices when they are not needed.

What will all this cost?  Pricing for the C-series ranges from $745 to $1,995.  I want one!!


WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading

Verizon 2010 PCI Compliance Report

The Payment Card Industry’s Security Standards Council is doing a good job locking down larger retailers, but as I’ve been saying for the past year or two, the smaller “Mom and Pop” shops are becoming the new targets of online criminals.  A recent report on PCI compliance by Verizon  confirms these unsettling trends.  The report says Level 3 and 4 retailers are now being targeted for credit card data.  Examples of these targets include restaurants in several states that were hit in recent months. 


Visa Revokes PCI Approval From PIN Pads After Breach

In a move that seems to reflect a very different PCI approach coming from the world’s largest card brand, Visa has ripped the PCI approval from two Ingenico PIN entry devices (PEDs) after a data breach.  What makes this move especially interesting is how it undercuts two strongly held Visa positions, in terms of publishing the names of vendors whose products are engaged in PCI issues and in its position that no PCI-compliant retailer has ever been breached.

Behind all of this commotion are an increasing number of physical attacks against PEDs.