Credit Card Security Standard Issued

alphadogg writes "The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, Wednesday issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization. PCI adherence has been pushed big time in the industry to help avoid more big breaches such as the one involving TJX. Those familiar with the standard say it could be expensive to implement and that there are some things those using wireless LANs will need to pay especially close attention to."

PCI standards and real life

I don't know how many reading this have been through the whole PCI thing. Personally, I think that it is pushed by folks that are selling 'scanners' and other remediation software.

I believe that security standards are a good thing. I appreciate that PCI has helped many environments be more secure. However...

I have worked in 3 unix shops that were devoted to E-Commerce. Currently, I'm really impressed with the company that I work for and how they do things. Unfortunately, I have seen things that most Unix admins/Security admins would have nightmares about in some other places that I have consulted. Yet, no matter what security flaws are there, they always passed.

I shudder when I think of one company that I worked with. They are a very high level financial institution. Guess what their AIX HMC passwords are? Can you get to them from the outside world? Yep. Could I down their production servers, a year after I worked there? Yep. Are they considered compliant to DSS/PCI standards? Yep.

Re:PCI standards and real life

[Dice]

Exactly.

I haven't worked with PCI specifically (although it's looking like I will soon) but I've seen the same sort of BS when working with telecom companies. They plop down a gargantuan checklist which is clearly the umpteenth managerial iteration over something that may have once been written by someone who knew what they were doing. Following the checklist does not mean that you are secure, but it is possible to be secure and also manage to check all of the boxes they want.

Re:PCI standards and real life

[operator_error]

No kidding! Once I did PCI consulting for a firm that did nothing to support my quality work, trying to build a really secure, yet user-friendly and fully functional workgroup infrastructure (with Ubuntu workstation proto-types avail.). Please trust me when I say I Delivered on A Secure Plan with open-source Goods, and no budget. It didn't matter, because everyone really wanted their Windows & their iPods & Smartphones, and didn't see how I delivered, in meeting Requirements for the nature of my client's Transaction Processing Company.

All I needed was support and actual authority from the management to do my job. So I went to the management and I said point blank, "What did you hire me for? To deliver on a secure, auditable, Network Security Monitoring (NSM) infrastructure, which seems like a good investment, and worthy of my fees; or did you just hire me to help you pass a test? I never received a Direct answer to my question, other than I could go on describing little details of how our business relationship ended.

Re:PCI standards and real life

[daem0n1x]

Well, financial institutions didn't care much about the safety of funds they have invested in, and that's their core business, why should they care about IT security?

I guess they couldn't have screwed up worse than they did, even if they had "1234" for all root passwords on their data centers.

But when will consumers see additional security?

[Manip]

Consumers in the US in particular are hugely behind the curve as far as end to end security goes. A lot of Credit and Debit cards are still being issues without Chip & Pin. Yet worse for some mind boggling reason Credit Card companies have started installing RFID into these cards.

In the EU, the UK in particular Chip & Pin is mandatory while RFID is nowhere to be found. Now I appeaciate that the US only recently moved away from Checks and still have a very questionable Direct Debit (bank to bank transfers) system in place but you would think one of the worlds leaders wouldn't be one of the worlds losers in terms of card security and fraud protection.

Self assessment

[colin_s_guthrie]

As a small company who has recently been through the self assessment procedure, I can say that the guidelines are very poorly designed in many cases.

For example, on the instructions page (https://www.pcisecuritystandards.org/saq/instructions.shtml) there is a link to SAQ Validation Type 1 form (A) and describe the type of applicant thus:
"Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants."

But in form A part 2c it states:
"Merchant does not store, process, or transmit any cardholder data on merchant premises but relies entirely on third party service provider(s) to handles these functions;"

By answering yes to this question, a merchant is saying that they will not transmit the details on (i.e from, to or within) their premises. This would mean that e.g. a mail or telephone operator could not *transmit* the card details to a third party service provider. i.e. they cannot use the PAN in any way (they *can* store it on paper - so orders by mail are OK), but the requirement very specifically says "Merchant does not ... transmit any card holder data on merchant premises". If I cannot transmit this information on my premises I cannot send it out to our service provider for processing etc.

This does not make logical sense. In theory, I could process payments via a PDQ machine directly connected to the phone line system and as the phone company is a "third party service provider" this could be argued to be compliant, but if I send it via e.g. an HTTPS website to an application hosted by our hosting company, this is technically going through our internal network before going through the wider internet (albeit encrypted via SSL) to our third party service provider. This is clearly "transmission on merchant premises".

I'm probably interpreting things quite pedantically (but isn't that what you're supposed to do with this kind of security thing?), but the guidelines and forms are riddled with these ambiguities and contradictions. :(

Re:Self assessment

It's required that they accept cash for all outstanding debt, but not for any initial purchase.

Re:But when will consumers see additional security

[Nursie]

"Credit card companies and banks make money from fraud."

Not in the UK they don't. Oh sure, they probably have it insured, but until recently the liability for loss (where they couldn't prove the merchant or customer was complicit and don't catch anyone) was all theirs. This is because they supply the tech, they mandate the schemes, they set the standards.

EMV goes some way to what you want, there is encrypted information sent between the card and the issuing bank that nobody else can read, but is dependant upon PIN. The biggest hole in the scheme is that you are still allowed to fall back to magnetic strip transactions in some places. They tend to be where the fraud is done now.

Antivirus requirement

[yuna49]

From TFA:

For instance, [the PCI revision] clarifies that all operating systems associated with card processing have to run antivirus software, while many had thought this was only about Microsoft Windows.

"That sounds like a sensible piece of advice," says Sushila Nair, product manger at BT, who says organizations often deploy antivirus on Windows but erroneously believe Unix and Macs and other operating systems are somehow more invulnerable. However, she notes accommodating the clarified PCI rule on antivirus in many places will be "expensive."

So what would constitute compliance with this rule? Is running periodic ClamAV scans on my Linux server sufficient? Will saying that I have ClamAV installed on the audit form be sufficient to comply with the new rule?

This change seems to have as much to do with protecting the Windows franchise from erosion by *nix systems (in the name of "levelling the playing field") as it does with security. Not only does it ignore the very real differences in security among the various platforms, but it makes selling a Windows solution to upper management much easier than selling Linux. Of course a system with a Windows server and Norton or McAfee will pass muster. Linux+ClamAV? Who knows?

Re:Antivirus requirement

[gmack]

I nearly had a stroke when I read that but thankfully it's a bad summary, The requirement is for machines "commonly affected by malicious software"

So my back end Linux servers will still not have AV software.

I'm not even sure why such a stupid rule even applies to windows really. A well maintained windows server should be safe from viral infection as long as it's not used for web browsing, email or file sharing. In other words nothing you would use a back end credit card processing server for.

Re:Antivirus requirement

[gmack]

You can find a better summary here: http://pcianswers.com/2008/10/01/pci-dss-version-12-differences-and-updates/

Re:Any advancement?

[Ihlosi]

very very very hard way to physically clone a CC/DC

Actually, at least in Europe, it's already pretty hard to clone a debit/ATM card well enough that a modern ATM will accept them.

Did you notice the catch? "a modern ATM". That's why criminals only need to clone the magnetic strip (trivial) and get your PIN (also trivial), and then they send the data to their buddies in Eastern Europe to withdraw money using the not-so-modern ATMs used in these countries.

Check writing still rampant

[sjbe]

Now I appeaciate that the US only recently moved away from Checks...

Moved away from checks? Hardly. Go to any grocery store in the US the day all the old folks get their social security checks and you'll see what I mean. Most bills still are paid by check despite the cost, inconvenience and inefficiency. Checks remain very heavily used in the US anywhere you go. Hell, Visa even has an entire ad campaign for their debit cards to try to get people to use the cards instead of writing checks. Visa wouldn't be bothering if checks weren't an incredibly common method of payment.

Otherwise you are right. The security sucks and there seems little motivation to improve matters.

PCI doesn't provide actual security

[scdeimos]

PCI is all about encrypting credit card numbers and expiry dates - and nothing else. Even a fully-PCI-compliant system is a rich source of unencrypted information for Identity Theft.

Although the PCI security standards recommend to companies that they do criminal history checks on suspect employees working with credit card data (and a company I worked for, claiming PCI compliance, had a compulsory criminal history check on the first day for *all* employees even though they were working nowhere near credit card data) it still doesn't address some of the weakest links: the human operators and the GUIs that they use.

I recently closed a Buyers Edge credit card, operated by GE Capital Finance in Australia. I couldn't supply the "account password" to the telephone operator on one call, but after supplying other identifying information the operator was able to READ MY ACCOUNT PASSWORD BACK TO ME. What's up with that: displaying the password for the account in clear text on the screen? Why aren't they encrypted? Why don't they have an input to type potential passwords in to that says "Yes it's right," or "No, it's wrong"? There's nothing stopping employees from snooping through customer records to gather saleable information for the Identity Theft market.

The only good thing I can say from my experience is, "I'm glad my credit card with them is closed."