Thursday, 25 October 2012

PCI SSC Community Meeting Dublin 2012 Review

I attended the Payment Card Industry Security Standards Council (PCI SSC) Community Meeting in Dublin this week, in all honestly there isn't a lot happening with PCI SSC Standards at the moment, namely, PCI DSS, PA-DSS and PTS, and I will explain why.

Firstly the PCI SSC and PCI DSS has been around for many years now, I was at the inaugural SSC community meeting in Toronto in 2007. Since then the PCI standard has only undergone a few fairly minor changes, don't be fooled with PCI SSC's version control process i.e. PCI DSS V1.21 to V2.0. We can certainly expect PCI DSS Version V3.0 next year. The actual changes since the original release of PCI DSS are minor, so in essence we have a mature and highly static data security best practice standard.

Secondly, over the last 6 years PCI SSC has provided reams of guidance, FAQs and have improved how they communicate with those within the payment card industry trying to comply. Again this has matured,  there just aren't any new questions anyone is posing which haven't already been answered in PCI SSC online library of information.

Finally technological solutions which vastly aid the descoping of payment cardholder data (CHD) environments, so making PCI DSS compliance much easier obtain are no longer new. Whether tokenization, point-to-point encryption (P2PE) or Semafone's call recording solution which eliminates cardholder data within call centres, and so cuts call centre fraud risk significantly, are no longer new concepts to be explored and understood, but are tried and tested solutions in the field.  Even the problem platform of mobile payments is nothing new. By the way the PCI SSC are clear on this, they consider no mobile platform to be secure, therefore no payment application created to run on mobile can be PA-DSS, which jeopardises the PCI DSS compliance of any company deploying Apps which stores/process cardholder data on mobile devices. I should point out that PCI PTS approved readers connected to mobile devices, which used point-to-point encryption from the hardware reader device, are endorsed by the PCI SSC for usage with mobile.

Mobile Payments Usage is Exploding, but how many are PCI compliant?

What to expect with PCI DSS V3.0
Well we will have to wait until the North American Community meeting in Las Vegas in September 2013.  I tried my best to find out what changes PCI SSC have in store from various PCI SSC board members I know. As I believe SSC board do have an idea about what will be changed within PCI DSS, even though the standard process is still in a "feedback stage".  But it was like getting blood from a stone, even after several pints of the Irish black stuff they all remained tight lipped.  Personally, I think we'll see very little changes with PCI DSS V3.0. Sure some security vendors would like to see new requirements to help them sell solutions such as cardholder discovery (card data searching), but that isn't going to happen in my opinion. I do expect some changes with the PCI DSS Self Assessment Questionnaire (SAQ).  I think SAQs should be "rebooted", made to be more small merchant (retailer) friendly and clearer, especially as most of the card fraud at the moment is occurring with level 4 (small) merchants. In these breach instances merchants have been found to not correctly complying, or even attempting to comply with PCI DSS. We'll have to wait until Q3 2013 when PCI DSS V.3.0 is released.

Exhibition Hall

Key moments from the Community
So nothing really happening with PCI DSS, PA-DSS, PCI PTS, but there were some excellent presentations from the community meeting, these are my main highlights.

Mark Gallagher, the former Head of Cosworth’s Forumla 1 Business Unit, Head of Commercial Affairs at Jaguar / Red Bull Racing and Marketing Director at Jordan Grand Prix, was the keynote speaker at the event. His F1 risk management focus talk was superb, especially if you were a petrol head or F1 fan.
Mark Gallagher F1 Cosworth, Jaguar, Red Bull, Jordan

Mark had some great stories about Lewis Hamilton's rise from a 10 year old boy, to F1 World Champion, lessons learn from Ayrton Senna fatal crash, and a highly insightful yet some what information security industry familiar, F1 approach to risk management, not just with the cars but with processes, and the people maintaining and driving the cars. Technology, processes and people, now where have we heard that before.

Nicholas Percoco, Senior Vice President and founder of Trustwave SpiderLabs, talked about the mobile threat to cardholder data, and showed several examples of mobile device hacks.  Scary demonstrations indeed, therefore no wonder the PCI DSS states no mobile device can be considered a secure platform for payments  unless they are using a PTS approved card reader.
Nicholas Percoco on the Mobile Threat

Andy Bontoft, Foregenix co-founder and lead forensic investigator, gave an excellent and gripping presentation about what he had seen in the course of investigating numerous card data breaches around the world.   I always say the most difficult challenge facing card data hackers, is not getting into the systems, but extracting the cardholder data out.
Foregenix Investigations of card breaches

So when Andy described how he spotted the usage of a small website  image file to extract cardholder data, I was really intrigued. The hacker used a small graphic file on the website, and appended cardholder data to the image file parameters, then automated a cardholder data collection and clean up of the file on a periodic basis.
Foregenix Investigation: Hiding credit cards within files

Sky and Semafone presented separately about call centre fraud, and the usage of Semafone's solution which removes cardholder data from call centre environments. The solution allows call operators to remain on the call, while customers type in their card details on their phone keypads, the operator only hears a normal tone for each key press and doesn't see the card number on their systems, so removing cardholder data from their view, their local computer, servers, network infrastructure, and the phone system including the call recording. The Semafone solution not only descopes the call centre environment from expensive PCI DSS compliance IT technologies, but removes the opportunity for call centre fraud, and allows companies like Sky to provide better working conditions for their employees, such as allowing Facebook access and personal mobile phones at operator's desks, as the risk of internal cardholder fraud is virtually gone.

The networking at the event was excellent as always, I made new friends and caught up with many old friends within the industry, so until next year...

1 comment:

sarah lee said...

Thanks for your suggestion well written article with lot of helpful information.
Security systems