PCI DSS

05/29/2013

Visitor Badges as a Security Tool

An important aspect of PCI compliance involves restricting physical access to areas where sensitive data is stored.  Firewalls and encryption can protect data from being intercepted by a hacker who operates from a remote location, but sensitive information is still at risk if you fail to create and enforce a company policy regulating who can enter areas and rooms where this data is stored.  A vital part of this policy should involve establishing a system for utilizing visitor badges for individuals on the premises that are not employees.  So what does the PCI Data Security Standard say about visitor ID badges?  The PCI DSS requires businesses to conform to the following guidelines relating to visitor badges:

  • Visitor badges should be used to deny wearers unescorted access to areas where sensitive data can be found.
  • Visitor badges should be designed to ensure that visitors can be easily distinguished from normal personnel.
  • Visitor badges should expire at a specified time.
  • Visitors should return their badges before leaving the premises or at the expiration time.

Only authorized personnel should be allowed to issue visitor badges.

05/24/2013

What Does the PCI DSS Say About Background Checks for Personnel?

In today’s business environment, so-called internal threats—theft and other types of mischief that can be traced to onsite employees—pose a growing menace.  Recognizing the hazards that can come from within an organization, many businesses have instituted background check programs; these can range from a simple criminal record search to an extensive overview of an applicant’s personal and professional history.  But what a lot of business owners do not realize is that the use of background checks for potential employees isn’t just a good practice—it is required by the PCI Data Security Standard. 

Requirement 12.7 of the PCI DSS calls for businesses to “screen potential personnel prior to hire” in a manner that complies with local laws.  Therefore, to remain PCI compliant a business should ensure that its Human Resources department conducts background checks on all prospective employees applying for positions that would grant them access to sensitive data.  An exception is made for employees who process one-at-a-time transactions (such as cashiers) and have no access to stored payment card data. 

Incidentally, the PCI DSS doesn’t provide specific guidelines for carrying out background checks, leaving it largely up to the discretion of the individual company.

04/22/2013

Masking PANs for PCI Compliance

For businesses, a big part of maintaining PCI compliance has to do with the proper handling of primary account numbers (PANs) used in payment processing.  The PCI Data Security Standard (PCI DSS) includes a substantial amount of guidance relating to this issue, and one aspect of PAN storage that deserves closer scrutiny can be found in Requirement 3.3, which calls for organizations to “Mask PAN when displayed.”  What does this mean? 



In this context, masking (also referred to as truncation) refers to partly or totally obscuring PANs when they are displayed on devices that access payment card data.  To remain compliant with the PCI DSS, PANs cannot be displayed in full—no more than the first six and the last four digits may be visible on a screen, a receipt, or on any other media used by the organization.  Masking a PAN reduces the risk that sensitive data will fall into the wrong hands.  However, personnel who have valid business reasons to view this data are exempt from these restrictions.  In order to avoid confusion—and meet PCI DSS requirements—it is important for companies to develop written policies that address information security.  (PCI DSS requirement #12)

04/10/2013

vSkimmer Malware Steals Sensitive Data from POS Systems

Many merchants rely heavily on point-of-sale payment card processing, and for them it’s certainly not news that enterprising criminals sometimes target these systems to steal sensitive data.  It’s important to keep in mind that these types of attacks are not static in nature—the general advance of technology tends to result in comparable enhancements in malware and similar threats. 

There are reports circulating that a new Trojan aimed at POS systems utilizing Microsoft Windows is wreaking havoc in the wild, stealing valuable data.  Called “vSkimmer,” this malware steals the “track 2” data normally encoded within a card’s magnetic stripe. 

The arrival of vSkimmer is another reminder of the need for merchants to continually optimize their security systems by applying relevant patches and antivirus updates as soon as these are made available.  Keeping your POS up to date with security patches will not only minimize security risks but ensure compliance with the PCI Data Security Standard (PCI DSS). 

04/01/2013

Windows XP Becomes Obsolete in 2014—What Then?

In a sense, April 8, 2014 will mark the end of an era—this is the date when Microsoft will cease providing support for its perennially popular Windows XP operating system.  Since its launch way back in 2001, XP has proven surprisingly durable, managing to retain a large portion of the market share even after subsequent operating systems (e.g., Vista) arrived on the scene.   But Microsoft is finally bringing down the curtain on XP; after April 2014, the company will stop providing security patches, updates, and related support services. 

What will this mean for the substantial number of merchants that still rely on XP?  Unfortunately, it will be necessary for them to make the leap to a newer operating system.  Though XP will continue to operate after its end-of-life date, the termination of support services makes the system vulnerable to new viruses and other cyberthreats that may arise.  Consequently, merchants that utilize XP will fall out of compliance with PCI DSS Requirement 6.1, which obliges businesses to ensure the safety of their payment processing systems by installing “the latest vendor-supplied security patches.”  These merchants, therefore, must switch to a supported operating system by April 2014.

03/29/2013

What Are Sensitive Authentication Data?

Sensitive authentication data are those elements of a payment card transaction that are used to verify the identity of the cardholder.  This category of data is regulated by the PCI Data Security Standard:  PCI DSS Requirement 3.2 strictly forbids merchants from storing this information after authentication—even in an encrypted state.  Given the importance of handling this data properly, it’s worth exploring the subject in more detail.  So what kinds of information constitute sensitive authentication data?  This type of data includes the following: 

  • Full magnetic stripe data.  This is the complete range of data coded within the stripe across the back of a payment card.
  • The card security code (CSC).  This goes by a variety of names, depending on the specific brand (e.g., CVV2, CID, CAV2).  It is printed on several spots around a card:  in the magnetic stripe and—the area where most consumers will recognize it—near the signature panel, where it is rendered as a three-digit number.  (For American Express cards, it is a four-digit number printed on the front.)
  • The PIN and/or PIN block.  When the customer enters their PIN, it is captured by the system as a “PIN block” that includes part of the primary account number and a few other pieces of data. 

This data cannot be retained by the merchant after the authentication process is complete.

02/25/2013

Types of Cloud Computing Environments

If current trends continue, cloud computing—that is, a network of computing resources made available over and accessible from the Internet—will soon play a major role in the business world.  This is why the PCI Security Standards Council (PCI SSC) recently released its “PCI DSS 2.0 Cloud Computing Guidelines” document, containing a wealth of information on the subject.  The document covers a lot of ground, and among this abundance of material, the PCI SSC helpfully pinpoints and defines the four main categories of cloud computing environments.  We’ll briefly explore these below:

  • Private clouds – This is a cloud environment intended for a single client.  It may be operated by the client that utilizes it or by a third-party entity, and it may be located on-site or off-site.
  • Public clouds – This is a cloud environment open to the public or a large group of users.  It is owned and maintained by a third-party provider.
  • Community clouds – This is a cloud environment shared by several clients with related computing needs.  It may be operated by one or more of the user clients or by a third party.
  • Hybrid clouds – As the name implies, this is a cloud environment that incorporates elements of more than one type.  For example, a private cloud may utilize resources from a public cloud on an as-needed basis.

  No matter which type of cloud is used, cloud service providers and their users share responsibility of PCI DSS. Although responsibility is shared, merchants must continue to follow the requirements of the PCI Data Security Standard (PCI DSS).

02/13/2013

How Is a Device’s Attack Potential Calculated?

“Attack potential” is a term that appears often in the documentation published by the PCI Security Standards Council (PCI SSC).  It is a numeric value that refers to the security vulnerability of a given piece of equipment.    The higher the number, the more secure the device.   This score is calculated by considering a handful of factors relating to the device:

  • Attack time – This is the amount of time necessary to identify or exploit a vulnerability.
  • Expertise – The skill level required to carry out a successful attack.  Three categories are recognized (in ascending order):  Laymen, Proficient, and Expert.
  • Knowledge of the device – The type of knowledge pertaining to the specific device that is required to execute a successful attack.  This is classified in one of three categories:  Public (accessible to everyone), Restricted (accessible upon request or in official documentation), and Sensitive (hard-to-obtain “secret” information).
  • Access to the device – The kinds of equipment that can be obtained to identify or exploit a device’s vulnerability.  There are three categories:  mechanical samples, functional samples without working keys, and functional samples with working keys.
  • Equipment – The type of equipment necessary to identify or exploit a vulnerability.  These are categorized as follows (in ascending order):  Standard, Specialized, Bespoke, and Chip-level. 
  • Parts – The type of parts that must be used to hide an attack or replace material damaged in an attack (in ascending order):  Standard, Specialized, or Bespoke.

01/04/2013

How to Become an Internal Security Assessor

For small merchants and organizations, implementing the guidelines of the PCI Data Security Standard (PCI DSS) can be a reasonably simple task—especially with the high-quality security tools provided by Element Payment Services.  But larger companies often find it convenient to have employees whose job duties are entirely or substantially given over to monitoring and maintaining the organization’s compliance with PCI regulations.  For these individuals, the PCI Security Standards Council has developed the Internal Security Assessor (ISA) program, which trains qualified personnel in appropriate data security techniques.  Once trained, ISAs can help their companies with internal audits and self-assessments.

Steps for Becoming an ISA

  • Sponsor Company Qualification – An organization that wishes to train one or more employees as Internal Security Assessors must first apply to become a Sponsor Company.  NOTE:  ISAs must be affiliated with a Sponsor Company, and his or her qualifications cannot be transferred to another company.
  • ISA Qualification – Once the organization has been approved as a Sponsor Company, eligible employees may take the PCI Security Standards Council’s ISA training course.
  • Annual Requalification – Both the Sponsor Company and the individual ISAs must recertify on an annual basis to maintain their respective qualifications.

11/16/2012

An Overview of Risk Profiling

Another notable aspect of the “PCI DSS Risk Assessment Guidelines,” released in November 2012 by the PCI Security Standards Council, is its exploration of “risk profiling.”  This is an important concept, as it gives merchants a solid framework from which to go about assessing the security risks of their systems and services.  Risk profiling refers to the comprehensive assessment of all company assets involved with processing or storing cardholder data.  The exact procedure for doing this is up to the judgment of each organization, but the PCI SSC suggests including the following four aspects:

  • Assets – Companies should enumerate any and all systems and components associated with cardholder data.  This stage involves classifying the type (e.g., hardware) and relative value of each asset.
  • Threat – Each asset should be analyzed for the kinds of threats to which it is susceptible.  For example, an off-line computer may be immune to remote hacking attempts but still vulnerable to insider (e.g., employee) attacks.  The company should also estimate the probability of each threat variety.
  • Vulnerability – The company should create a description of each vulnerability and its relative level.  This can possibly include a description of the threats that may exploit each vulnerability.
  • Risk score – Each asset is rated according to its value, threat likelihood, and vulnerability level.

Search Blog


Your email address:

Bookmark and Share




Resources

About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter


Visit Element on