PCI SSC Community Meeting 2009: “The Feedback Year”

Gary Palgon
Vice President, Product Management
nuBridges

Onsite in Las Vegas – The Payment Card Industry’s Security Standards Council (PCI SSC) is on a 24-month cycle of reviewing and editing the PCI Data Security Standard (PCI DSS).  Version 1.2 was issued in October 2008 and the next major release is expected around the same time in 2010.  While last years’ theme seemed to be around “Compliance does not equal security” and “Network Segmentation”, this year’s theme was very much about submitting feedback on the current standard and reviewing new technologies for reducing the scope (and burden) for initial and ongoing PCI DSS compliance.

Pricewaterhouse Coopers (PwC) was contracted by the PCI SSC to “look at technologies out there that have the potential to reduce scope for PCI DSS” and PwC presented their preliminary findings at the meeting this week.  They interviewed more than 160 individuals from 125 companies across 10 countries and evaluated 12 technologies. They narrowed their focus down to four, which they drilled into to understand the impact of implementation and affect in reducing scope of the PCI DSS audit: end-to-end encryption, magnetic stripe imaging, tokenization and virtual terminals. The report will be forthcoming; however, it serves as “feedback” to the PCI SSC as they review the standard and recommendations in the coming year(s).

As funny as it sounds, one “aha!” from the meeting was “What is considered cardholder data?”  Believe it or not there was no easy answer.  The Scoping Special Interest Group (SIG) will take that under review in the coming year. 

And finally, the annual meeting is a time where many people express the difficulty in understanding, implementing and changing the standards.  Much of that was put into perspective when former Congressman Tom Davis explained how the U.S. government works to create laws!  He was the co-author of the Federal Information Security Management Act (FISMA), so standards are near and dear to his heart.  I have to remind myself when I submit questions to the PCI SSC and months go by without an answer that it could be worse – I could be in politics!

Until next time,

Gary

Conference Season’s Upon Us: First up PCI SSC Community Meeting

Gary Palgon
Vice President, Product Management
nuBridges

While you can attend a conference any week or weekend throughout the year, most of us can’t afford the time away from the office, even when we’re on the vendor side of the business equation like I am.  And given summer is a time when many people travel, it turns out that March through June and September through December are prime times for the “conference tours.”  Surely not as glorious as a “band tour,” but exciting nonetheless.  For me it’s an opportunity to meet customers, prospects, business partners and other people I’ve connected with during the year who I may have or have never met.  And for them, the same – an opportunity to put a face with the name.

First up is the Payment Card Industry’s Security Standards Council (PCI SSC) Community Meeting which will be held September 22nd - 24th in Las Vegas.  This is the third one, with the previous ones having been held in Toronto and Orlando.  The surroundings will surely be better than the prior cities (no offense to them – heck, I have to visit them during other conferences in the coming months too) and I would expect a bigger crowd than ever as each year it has grown since it started in 2007.

There’s always some interesting topics, discussions and debates (and this year we’ll add gambling to that).  Last year there was a focus on the quality of Qualified Security Auditors (QSAs) and network segmentation while this year all indications are there will be lots of discussion about virtualization, PCI scope, tokenization, end-to-end encryption, and chip and pin.

If you’re planning on being there, drop me an email at gpalgon AT nubridges DOT com.  I’d love to meet or catch up with you.

Gary

130 Million Credit Cards Stolen?

Gary Palgon
Vice President, Product Management
nuBridges

That just may be the tip of the iceberg as the details of this latest cybercrime unravel.

On Tuesday, Albert Gonzalez and two others were indicted on charges of stealing more than 130 million payment card numbers, the largest hacking and identity theft case ever prosecuted in the U.S. Ironically, he is accused of breaching several retailer’s networks, which were already compliant with the Payment Card Industry’s Data Security Standard (PCI DSS) – a set of comprehensive requirements put into place in 2006 by American Express, MasterCard, Visa and other credit card companies to force businesses to better protect credit and debit card information from thefts like those committed by Gonzalez and other hackers over the years. Then, yesterday, Radisson reported that some of the computers at several hotels were breached between November 2008 and May 2009, possibly exposing guest information and credit card numbers.

This is BIG, but it’s only the latest in a long series of avoidable data breaches. Cybercriminals are opportunists. They steal information from wherever it’s easiest to reach. In the last couple of years they’ve methodically climbed the technology stack. In this case, Gonzalez and his band of global thieves started at the top breaching the web application interface and then went deep down to gather the internal credit card data in transit, the latter a problem that has yet to be enforced by the PCI DSS as a requirement.

Regardless of all of the ways that criminals get into systems to access data, the only sure method of protecting it is to actually ensure that the data is always encrypted, whether at rest or in transit.  And there are methods to do this including encryption, key management and tokenization which you’ve probably read in articles that I’ve published recently or presented.  http://www.nubridges.com/presscenter/articles-2009.php

Until next time,
Gary

Report from the ISSA-UK Chapter Meeting

Gary Palgon
Vice President, Product Management
nuBridges

The ISSA-UK Chapter meeting was held last Thursday evening at the London offices of KPMG and attended by about 60 information security professionals.  There were three speakers covering an update from the Information Commissioner Office, the legal aspects of data security and how to reduce the scope of PCI DSS compliance using tokenization - the last one given by yours truly.

 

The topic was well received and much discussion with the group covered how tokenization applies to other data beyond credit card information and the industries that are a great fit for it – including health care, state and local government (e.g. law enforcement), hospitality, etc.

What was interesting about the other two talks is that the Information Commissioner’s Office noted that they have lots of laws and procedures to protect data but a limited ability to fine organizations for non-compliance, while the solicitor (lawyer for you and me) covered the power of both civil and criminal prosecution for breach of the very same laws.  The recommendation from both was to protect the data though!

I’m on vacation next week, spending my 13th year as a counselor to kids with cancer at Camp Sunshine.  Have a great week and go protect your data!

Gary

Subway strikes don’t stop PCI projects from moving forward!

Gary Palgon
Vice President, Product Management
nuBridges

London’s a great city and the London Underground subway - the “Tube” - makes it so easy to get around – except when the Tube workers decide to go on strike. That’s exactly what happened last week - Tuesday through Thursday night.  Expecting the worst in turnout of attendees for the Corporate IT Forum's Information Security Service’s PCI DSS Conference on Wednesday it was hardly that – the venue was packed with lots of business and information security professionals with a thirst to network and learn how to comply with the Payment Card Industry’s Data Security Standard (PCI DSS).

The following were key discussion points at the TIF Conference:

• There are inconsistencies between Qualified Security Assessors (QSAs) and individual QSAs; often companies and the enterprises they have been helping are left with little knowledge about where they are in the compliance process. 
• There’s a conflict of interest with some QSA firms because they are conducting the security review, performing the audit, and offering remediation software and hardware for compliance.
• Tap into your own employee talent pool to assist with security requirements – they are often glad to help, can apply their skills and will take an interest in your project.
• Use PCI DSS compliance as a way to get money for known security holes in your organization
• Security best practices meet PCI DSS requirements, but the reverse is not true.
• Compensating Controls must be reviewed annually as of the October 2008 update of the PCI DSS (Version 1.2).  Just because you passed last year doesn’t mean you’ll pass this year.
• Open source is a valid way to help comply with the PCI DSS; however, consider the scalability and customer support for the products since they may not be right for your enterprise.

And a few personal observations based on the discussions:

• PCI DSS compliance is not a “one-size fits all” – network with your peers inside and outside of your industry and compare how others have addressed like solutions
• There are multiple ways to “reduce scope” including network segmentation and tokenization – it’s important to consider how each can help your organization
• Collaboration and continued communication between QSAs, security consultants (different from a QSA), and solution vendors can help set a clear path and yield success with compliance
• Compliance doesn’t equal security – to stay ahead of the bad guys you must also consider areas where the PCI DSS falls short – e.g. data in transit within the enterprise
• It all boils down to risk in the end – how much risk is your organization willing to take with their customers’ credit cards and other personally identifiable information (PII)? Do you really want to be famous for a breach?

Just before I got on the plane to leave London I read the headline on the local newspaper, “We’ll go on strike again next week if we have to.”  Great city but they may have to take a lesson from the US when we up and fired the air traffic controllers when they went on strike!

Until next time… Gary

How much would you pay for your own company and consumer data?

Gary Palgon
Vice President, Product Management
nuBridges

Gone are the days when hackers broke into companies as a challenge to themselves to prove they can do it.  More fashionable in recent years has been to steal credit card and other personally identifiable information (PII) so that it could be resold on the black-market.  And now for the next wave, stealing the data so that it can be resold or ransomed back to the rightful owners!
As Dan Kaplan of SC Magazine reported on May 5th, “Hackers seek payment after break-in on state health care site.” Ccyber-thieves did just that demanding $10 million to return patient data to Virginia’s Department of Health.

This isn’t the first time it’s happened and surely it won’t be the last. 

I can think of a couple of solutions to solve it – take out insurance in case it happens (assuming someone’s willing to write you a policy) or follow the suggestion of the Payment Card Industry’s Data Security Standard (PCI DSS) and many regulatory laws like the State Breach Notification laws which suggest rendering the data useless if it ends up in the wrong hands.  In other words, get rid of it if you don’t need it, encrypt it if you do, or hash or tokenize it if you don’t need the original values all of the time but can work with “surrogate data.”

Do you have other suggestions?

The true value of data protection is to ‘let the good guys in!’

Abir Thakurta
Senior Director, Professional Services
nuBridges

With data protection as one of the key challenges facing enterprises around the world, and the need to comply with critical mandates like the PCI-DSS, encryption has become a de-facto strategic weapon in organizations’ data protection arsenals.

Encryption is a great way to protect data -- but it comes with some limitations. Limitations that pose real-world problems in implementing encryption technologies.

The three big barriers to implementation of traditional encryption technologies are:

1. Format preservation and data integrity of sensitive information when it is processed or analyzed by various business intelligence and analysis tools.
2. Application or database modifications to accommodate cipher text changes to the sensitive information.
3. Performance penalties with cryptography processes and algorithms that perform encryption.
   But data protection is not just about encryption technology. And it is not just about keeping the bad guys out (and sometimes the good guys too!).  The true value of data protection is its ability to ‘let the good guys in.’  This helps create a balance of appropriate data security and business continuity so enterprises can run their business while protecting their sensitive, business-critical and regulated data. 

Tokenization as a concept is simple yet powerful. How can we replace sensitive information with a surrogate token? A token that does not compromise the actual data, yet allows enterprises to go about doing their business with the applications that work with that sensitive information?

The key to tokenization is to produce a surrogate token that has a 1:1 relationship with the sensitive information. Not only for data integrity but also to ensure that no mathematical relationship exists that would be subject to dictionary or mathematical attacks. So if the token is ever accessed by a malicious user, it cannot be traced back to the original sensitive information. This, of course, requires a secure data vault where the relationships are stored, the sensitive information is protected and appropriate controls are exercised for limited access to users who can actually reveal a token.

Now think about a technology that can generate format-preserving tokens (so a 16 digit AMEX number still looks like one but isn’t one) and insert them in place of the sensitive data, then encrypts the original data and stores the cipher text in a central data vault.  This allows applications to work with the information and process it, eliminates cipher text instances throughout the enterprise (thereby de-scoping applications from PCI-DSS-type compliance requirements) and prevents malicious users from doing something with the data if they get their hands on it.

At the end, combining encryption with tokenization is a powerful data protection solution for many enterprises.  And as proven with many nuBridges’ enterprise implementations, working with a technology that supports encryption plus Format Preserving Tokenization provides unequalled data protection.

Let me know if you want to discuss more on how this technology works and how it can be implemented in your enterprise!

Look forward to hearing from you,

Abir

U.S. House of Representatives regulatory success gives it credentials to debate PCI.

Gary Palgon

Vice President, Product Management

nuBridges

April Fool’s? Not!

It’s kind of funny when you think about it. The U.S. House of Representatives held a hearing on April Fool’s Day to debate the merits of the Payment Card Industry’s Payment Security Standard (PCI DSS), noting that it has failed to keep consumer credit card information safe. (Source: Computer World)

Recognizing that the PCI DSS is a standard generated in the private sector by payment card vendors such as Visa, MasterCard and American Express, the public officials must have felt that they’ve had such great success with their own regulatory requirements such as SOX and HIPAA, that they can lend a hand to the payment card industry.  HIPAA was ratified in August 1996 and it was eleven years later, in June 2007 before their first audit was conducted. Source: Computer World) Not necessarily the best representation of a quick path to ensuring patient’s sensitive information  -- given we’re still not there!

While I agree that compliance with the PCI DSS does not ensure your environment is secure, it is still the best technical standard available.  It should be used in conjunction with a security framework such as ISO 27002 to make sure that best practices for people, process and technology are developed and maintained on a regular basis.  

At the same time, members of the PCI Security Standards Council (PCI SSC), of which nuBridges is a member, know there are a few shortcomings. Three examples include security of virtualized environments; the lack of a requirement to encrypt internal information in-transit (only requires that external information in-transit be secure); and deferred charging of purchases on credit cards.  The standard will continue to evolve, but there is no debating that it is helping to make companies become more secure as part of their compliance efforts.

Until next time,

Gary