Credit-Card Data Breaches Drive Security Solutions

4foot10 writes with a link to a CRN article about the booming business of PCI adoption. The Payment Card Industry Data Security Standard (PCI DSS) was worked out by credit card companies as a guideline for securing customer data. As a series of high-profile customer information leaks have occurred over the last year, the business is increasingly getting lucrative for those who can keep up. "As PCI-related business begins to boom, security VARs and integrators find themselves in the enviable position of having almost too much work to handle. And there's plenty of room for the market to grow: Visa estimates that just 36 percent of Level 1 merchants (which process more than 6 million credit-card transactions annually) and 15 percent of Level 2 merchants (which process at least 1 million) have complied with PCI. Solution providers can either handle PCI-related assessments of companies' networks and then recommend solutions to address holes, or provide the remediation services after an audit, which often requires companies to implement firewalls or encryption to their networks."

The standard itself

[ergo98]

The PDF isn't full of anything revolutionary, and most are just common sense data security, but it is a great starting point for securing virtually any highly confidential data.

Far too many shops don't comply with the majority (or any) of the recommendations.

Re:The standard itself

[4e617474]

and most are just common sense data security

Oh, if only. Until recently I worked for a company that sells systems that perform credit card transactions for a particular segment of merchants (I don't want to say more than that for reasons that will become obvious soon enough. They went through a series of revisions in their product lines, but for the most part the systems are very hard to set up, configure, and troubleshoot, and if you were going to go looking for the most technically inept customer base their target industry would make the short list - so a means of remote access is a standard feature.

For a number of years, this meant that you have a Unix box with an "everyday" user - username: [name of vendor of system] password: [same as username or blank] - the root user, with one of four or five short dictionary words for the password (and pretty much the same one in any given region of the country) - and the "application" user with a password that I'm told was relatively secure, but who cares when you have a pretty good chance of getting root before your dictionary cracker gets through the "B's". These machines were just sitting there with a modem waiting for anyone who could "cu" to dial in. Once you were in, and you had root, about a week's worth of credit card transactions complete with everything that can be read off the magnetic stripe were waiting for you in plain text.

A few years down the road, they've gone Windows and they're ever so slightly too careful to have people telnetting in over the Internet, so they use PCAnywhere. Live modem, waiting for you to dial in (yes, dial-up remote administration of a Windows box - fun, fun, fun), username: [name of vendor] password: [name of vendor]. They got called on it, so they changed one of the two to a common word in English, I can't remember which. Once you're in, you're supposed to be signed in as a non-privileged user who's able to access the non-encrypted credit card data only because the permissions aren't always set very well, but usually the owner of the system just signs into their server as Administrator, makes sure that PCAnywhere is running in case the Help Desk needs to get in, and walks away. Their more security-conscious customers (they have a few) require a number of hoops to jump through that you won't be able to if you don't really work at the vendor. Their newest systems, they've encrypted the credit card data, and to decrypt it, you have to sign in to an application with a username that is not especially obvious but is one of the standard Windows users. The password used to be the vendor's name, but now (a few serivce packs down the road) its their name and the product number with some numbers substituted for letters and vice versa.

To their credit, they've started making recommendations like "turn off the modem when you're not actively using it" and "if you use PCAnywhere for TCP/IP, don't use the default ports". This lead to support exchanges like:
"We don't have the modem turned on anymore"
"So turn it back on"
"I don't know how"
"Who does?"
"He doesn't work here anymore"
"You'll have to wait for the dealer to come out on Monday"
"I did mention my business is hemorrhaging cash as I contemplate the value of the fix-figure support contract, right?"
"Yeah, I get that a lot."

My favorite would have to be the voice mail I got: "We set PC Anywhere to not use the default ports like you told us and now it doesn't work with our firewall, so you'll have to call when someone's here to use Webex." At least the company doesn't have a high turnover rate with lots of disgruntled employees who'd love to make them look bad. Oh wait a minute...