Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged End-to-End Encryption

Monday, March 29, 2010

Missing elements in PCI DSS

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

It is interesting to note that chip and pin was missing from the study initially done by the PCI council in 2009 on emerging technologies and yet is mentioned specifically by Bob Russo during a panel discussion at RSA.  Key Management Insights recently posted this to their blog:

Bob Russo, General Manager of PCI Security Standard Council, boiled it down to: “There needs to be a mind shift from just compliance to security [since] compliance is a byproduct of good security.”  And when it comes to PCI DSS, Russo added, “PCI DSS is the baseline.”  Russo hinted at some of the clarifications coming in the PCI DSS update in October 2010.  He identified three of the technologies which are likely to receive clarification as:

  • Chip & PIN technology
  • End-to-end encryption
  • Tokenization

The focus on new technology, though not a panacea, is an acknowledgement that our current methodology for securing payment data is difficult to secure.  Retail sectors, which operate on tight profits, are struggling to have the in-house expertise to put the right controls in place to protect the data they house.  

Given that Payment card data was stolen in 84 percent of the 285 million security breaches recorded in 2008, according to the most recent Verizon Business Data Breach Report, the payment card industry realizes that something needs to be done.  Security breaches are ever increasing and if the industry does not take action, then it is likely that the federal government will impose additional regulations. 

The focus on continuous control monitoring is key to understanding what your security posture is. While it is impossible to have impenetrable security, it is critical to be monitoring your network so when a breach does occur, the correct action can be taken.

Undoubtedly, the stakes of not complying with PCI-DSS are rising.  Companies that don’t take PCI-DSS seriously are exposing their customers and themselves to an unacceptable business risk, and their cost of doing business will surely rise to cover the net impact of breaches.  The real question is whether the costs will rise in a controlled fashion as companies put in place best practices, such as outsourcing, to enable their security to be in the hands of seasoned experts — or if businesses will allow costs to spiral as they pay for fines, compensation, and remedial activities in response to data breaches.

Posted at 2:30 PM in SecureCompliance | No Comments »
Tags: , , , , , ,

Bookmark and Share

Wednesday, October 21, 2009

Emerging Technology Research to Reduce the Scope of PCI DSS

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

The SSC has been clearly enunciating that companies should rationalize the cardholder data they retain and store only the data that is required for a specific time period.  Organizations should isolate, compartmentalize and secure sensitive data to reduce the scope and the cost of PCI compliance.

Organizations have struggled with rationalizing storage of sensitive data.   Not only is there a significant amount of cardholder data – commonly identified as the primary account number, the cardholder name and service code – but there are also a large number of databases and other reasons for storing customer information with cardholder data.   It is challenging enough to find data across multiple databases, but cardholder data has also been found in flat files, mail boxes, and backup tapes.   For example, when Forever 21 commented on their breach, they acknowledged that cardholder data was stolen from a location they didn’t know even stored cardholder data.

So, while understanding how cardholder data is flowing through the network and where it is intentionally stored is one part of a company’s responsibility, knowing where it is being stored unintentionally should also become part of a company’s compliance activities.  Encryption systems are often touted as a panacea to the many problems associated with securing cardholder date but, unfortunately, they are often badly designed, with the most common flaw being that keys are stored on the same system in plain text.

Controls around credit card data storage have often been weak because the focus is on enabling and processing the transaction and not on securing the transaction.  As a result, the SSC commissioned PWC to look at some of the emerging technologies to reduce the scope of PCI DSS and thus making it simpler for organizations to comply.  Among other factors, the solutions looked at by PWC needed to encompass:

  • Positive ROI
  • Reduction of Scope
  • Legacy system compatibility
  • Handle chargeback and fraud

Some of the mechanisms examined by the study, which interviewed 125 companies and encompassed more than 150 interviews globally, are:

  • Tokenization — The idea behind tokenization is that the sensitive data is substituted with a token—or surrogate value.  Using tokens would concentrate sensitive data in one master database and then replace the card numbers with “tokens” in all the other systems.  The master database would be highly hardened and encrypted and keep track of which token matched which credit card.  Other systems would send the tokens to the master system for processing, which would then interface with the external transaction processing systems.  By limiting occurrences of encrypted data to a central vault, organizations can reduce the number of systems, applications and processes that must be audited for compliance with PCI DSS.  This can dramatically reduce the time and cost required to pass annual compliance audits
  • Virtual Terminals — Moving systems to “cloud” style infrastructures enables organizations to focus on their core business and reduce costs.   Virtual Secure Terminals are generally available through browser style technology and form a way to process credit cards so that the processing of the transaction does not occur in the branch, call center, or customer support center, but instead occurs at another central location.  This infrastructure allows the organization to benefit from the security and features available through a third party or a central location.  It can replace or work in conjunction with a Point-of-Sale terminal system.  Virtual terminal users must ensure that the virtual terminal provider they are using is either PABP or PA-DSS validated.
  • End-to-end encryption – Following the indictment of Albert Gonzalez for several high profile breaches, there were cries that end-to-end encryption would have prevented the breach from occurring.   Certainly, end-to-end encryption would prevent many data thefts from taking place.  However, several other strategies, including real-time monitoring, would have also detected the breach and decreased its depth.  There can be no doubt that end-to-end encryption would simplify the process of PCI compliance.  The problem currently lies in the lack of standardization surrounding end-to-end encryption and payment systems.  It is possible that by selecting an end-to-end encryption system from a payment processor, the merchant may tie themselves to a single supplier.  The SSC has recognized these issues and is creating a special interest group to advise on standards for interoperability; and Visa has recently released global industry best practices for data field, or end-to-end, encryption.
  • Magnetic Stripe Imaging – Magnetic Stripe Imaging collects data from the stripe to prevent fraudulent cards from being used.  It cannot serve as a stand-alone technology to meet PCI requirements.  To be effective, it must be used in combination with other technologies to reduce scope.
  • Chip and PIN — It is impossible to talk about securing credit card transactions without mentioning Chip and PIN technology, which is extensively deployed in the rest of the world.  Chip and PIN  technology has signficiantly decreased fraud in card-present transactions.  This technique is successful because the chip is difficult to clone.  In the U.S., the costs associated with upgrading all merchants, processors and banks has prohibited adoption.  A further negative is that Chip and PIN technology does not impact card-not-present and ATM fraud.  SSC has decided that this technology does not merit addtiional research.

Emerging technologies will reduce the scope of PCI.  Organizations with simple payment infrastructures will undoubtedly turn to end-to-end encryption systems provided by payment processors since they are the simplest mechanism to implement.  Smaller organizations will probably turn to virtual terminals and hosted solutions which will reduce the scope of PCI compliance, or remove it entirely from their hands.   Large organizations will likely look to reduce their risk of storage by using a combination of tokenization and encryption as there are many drivers for storing card information, including product returns, rewards and rates on reoccurring transactions.

The technologies associated with protecting sensitive data are relatively young, and while they are proving to be robust, they are not foolproof.  In addition to assessing which of these emerging technologies may prove most valuable to them, organizations need to assess how and when they use data to ensure that information is not being retained simply because it might come in handy without assessing the damage caused when that information is compromised.

http://www2.prnewswire.com/cgi-bin/stories.pl?ACCT=109&STORY=/www/story/09-12-2008/0004884255&EDATE=

http://www.btsecurethinking.com/2009/09/albert-gonzalez-pci-dss/

http://corporate.visa.com/media-center/press-releases/press941.jsp

Posted at 9:46 PM in SecureCompliance | No Comments »
Tags: , , , , , , , ,

Bookmark and Share

subscribe - log in