Safer Business Newsletter Q3 2012

Transcription

1 Safer Business Newsletter Q Welcome H ello and welcome to the latest edition of Safer Business News. Were you an Olympic addict, or did you avoid the games completely? Whatever your preference I hope you have enjoyed the summer so far and this newsletter finds you in good spirits. Ordinarily I ask for 2 industry expert pieces; however in this edition there is a single article focusing on Point to Point Encryption (P2PE). We asked the team at Foregenix who are P2PE QSAs to provide commentary on the subject. This article will undoubtedly answer many of your questions, and also perhaps at the same time raise new ones, which I would like to hear about. Something we get asked a lot about is the topic of a 'Risk Based Approach (RBA)' to PCI. Love or hate the subject, it has created a huge amount of discussion within the industry and it is appropriate that I comment on it. Colin Whittaker (Visa Europe, VP Payment System Risk) made statements at PCI London back in July PCI is the standard, it must be achieved by the deadlines set out and the Prioritised Approach must be used by Acquirers as the reporting tool. In addition he said an RBA cannot be used to Risk assess away PCI standards. I think that they are pretty clear statements; however that does not mean that the Card Schemes are ignoring the issue. Along with my team, I am looking at possible options in terms of the flexibility that WorldPay may offer merchants. As part of this process we are consulting with the Card Schemes, merchants and other significant bodies in the industry. We want to ensure if WorldPay goes to market with an offering it will be right for our merchants and the Card Schemes. That s enough from me. I hope you enjoy the newsletter, and as always you can provide feedback directly to me at Tim.Lansdale@WorldPay.com Timothy Lansdale Head of Payment Security In This Issue Round Up Calendar MasterCard Alert ISA Reminder QSA and ASV Feedback Quarterly Reporting Date Industry Expert Section Round Up In July the PCI Security Standards Council released a Point to Pont Encryption Programme Guide and a Self Assessment Questionnaire. The SSC say the PCI P2PE Programme Guide is designed to help solution providers, application vendors, and P2PE assessors understand how to complete a P2PE assessment and submit it to the Council for acceptance and listing on the PCI SSC website. The document includes: Overview of P2PE solution validation processes Considerations for P2PE Solution providers preparing for assessment Reporting considerations for P2PE assessors Considerations for managing validated P2PE Solutions Listing of applications used in P2PE solutions The SAQ P2PE-HW is for merchants who process cardholder data via hardware terminals included in a validated P2PE solution and consists of the following components: Merchant eligibility criteria SAQ completion steps Self-Assessment Questionnaire (validation of PCI DSS Requirements) Attestation of Compliance, including Attestation of PIM Implementation Also note the difference in the format of the SAQ providing you with more information about the applicable requirements. There is an FAQ document aimed at merchants covering a few basics of P2PE. It is well worth spending five minutes looking over if you are not familiar with P2PE. All of the above documents are found on the PCI SSC website WorldPay: PCI SSC:

2 In June Visa Europe released a fact sheet on Security Logging. It is written as a result of data breach investigation, but really does highlight the need for not only implementing logging but also managing it on an ongoing basis. This and other Visa Europe factsheets can be found at retail ers/payment_security/downloads resources.asp x This month the PCI SSC has made Internal Security Assessor (ISA) training available online. Upon completing the online training you will need to attend a test centre for the final assessment. More information about the E-learning option can be found at raining.php Now live is the Qualified Integrators and Reseller (QIR) Programme. The programme aims to provide integrators and resellers that install, sell, and/or service payment applications with specialised training and qualification. The training provided by the PCI SSC offers guidelines and best practices on the secure installation and maintenance of PA-DSS validated payment applications in a manner that supports PCI DSS compliance. The PCI SSC will maintain a list of trained QIRs which you can use when looking for a PCI approved partner. According to the PCI SSC choosing an approved service provider will help you: Improve security, reduce risk, and help achieve PCI compliance Simplify the vendor selection process Build confidence that your PCI DSS compliance efforts will be supported Calendar July 2012 MasterCard deadline. Merchants must be either PCI DSS compliant or be using PA-DSS certified payment application by 1st July Please advise us if you know or think your application is not compliant! Visa Europe deadline. From 31st any merchant using a payment application that is listed as vulnerable by Visa Europe or Visa Inc. must either upgrade the application to remove the identified vulnerability, or use a PA-DSS compliant version of the application within six months of the application being identified as vulnerable. Visa Europe Deadline. All pre-pci PED s (devices designed and tested earlier than PCI PED version 1.x specifications) used in an attended (face-to-face) environment to be replaced with Visa approved devices (at the time of deployment) by 31. Visa Europe Deadline. Merchants can only use third parties on the Merchant Agent Registration portal from 31 st. The List of PCI DSS Validated Service Providers is still valid throughout Industry Events Merchant Agent Risk Forum. On 17 September in London, the first Merchant Agent Risk Forum will take place. It will explore the key issues relating to the evolving payments risk landscape and merchant agents. For more information and to register please go to PCI Participating Organisation European Community Meeting 22 nd 24 th October in Dublin. Please note you have to be a registered Participating Organisation to attend. More information can be found at eeting/2012/ PCI ISA Training 18 th 19 th October in Dublin raining.php MasterCard Alert Moving away from PCI compliance for a moment, MasterCard have issued a notice advising the community to look out for the Gauss malware in their systems. Based on the Flame malware, both have seen wide press coverage in recent months. It appears Gauss was written to collect a range of data from infected systems. So far only one infected system has been detected in the UK but that doesn t mean there aren t more that have not yet been discovered. For more information on what to look out for go to: Gauss_Abnormal_Distribution ISA Reminder A final note on this topic as the MasterCard deadline has now passed. PCI level 1 and 2 merchants can no longer self assess compliance. You must either contract a Qualified Security Assessor (QSA), or ensure the staff carrying out your PCI Audit attend the PCI Internal Security Assessor (ISA) course and complete a Report on Compliance. You can find more information on the ISA course on the PCI SSC website: raining.php#schedule

3 QSA and ASV Feedback Did you know you can provide feedback to the PCI Council on your QSA and ASV partners? QSA and ASV companies are regulated by the PCI Council so your opinion is important to them. On the PCI SSC website you can find a 15 question form to complete, allowing you to offer your opinion of the service provided don t forget this is for positive and negative feedback. The forms can be found in the PCI DSS documents library on Quarterly Reporting Please remember, if you are not compliant you must submit your progress reports quarterly (March, June, September and December). These updates demonstrate your progress towards compliance to both Visa and MasterCard. If you do not submit anything we cannot create it for you. The updates should be based on the Prioritised Approach reporting tool that both card schemes mandate. The tool can be found on our website at: -reporting.html If you are compliant please supply the details of your latest ASV scan report. Your next progress update should be submitted to us by 21st September Industry Expert Section This quarter we are focussing solely on the subject of Point 2 Point Encryption (P2PE). It is a subject that has been causing a stir in the community for a number of years, and we should start seeing some certified products on the market very soon. So why are merchants so interested in P2PE? Well in essence a simple solution will encrypt the card data at the chip and pin terminal and only be decrypted by a service provider. In theory this means merchants could have a smaller Card Data Environment, thus reducing the workload to becoming compliant whilst also reducing the risk of data loss. It seems like an age ago when this subject first came up. The first documents were released back in March 2010, when Visa Europe stepped forward and put out two best practice guides on data field encryption. These gave merchants and vendors an idea of where to start looking. In October 2010 the PCI SSC released their roadmap for the solution, providing definition, scope and outlining the actions they needed to take before any solution could be accredited. In September 2011 the first set of validation requirements for point-to-point encryption solutions were released. This was followed up in April 2012 with testing procedures, and in June the first QSA training courses were run. July saw the SSC release the P2PE Self Assessment Questionnaire which will give you guidance on what to look out for when installing the products. So here we are in August, some of you have chosen your product and are awaiting certification to then start testing and installation, others have walked away for a few years until the market matures. What ever your choice one message has remained the same; it is not a silver bullet to avoid compliance. It will help to reduce the scope but you still have to control of the environment and ensure policy and procedures are in place amongst other requirements. We asked the team at Foregenix to give us some background on P2PE, and what merchants should look out for. Here are their thoughts on the subject. Considerations for Deploying a P2PE Solution Most retailers built their business networks and systems with connectivity in mind, rather than ensuring the security of cardholder data (generally these businesses have been in place for longer than the PCI DSS) and so they tend to have completely open and flat networks, with cardholder data distributed widely. This creates a significant issue for retailers to secure their business systems, reduce risk and become PCI DSS Compliant as their whole environment falls into scope of PCI DSS compliance. Their projects become immense, unwieldy and frankly, doomed for failure since unless they make significant (and usually prohibitively expensive) changes to their infrastructure, they simply will never reach compliance, let alone maintaining it once achieved. For retailers in this situation, a P2PE solution is hugely compelling, as it will ensure that all future transactions are taken out of scope of PCI DSS Compliance. For all the legacy cardholder data, a payment card data discovery and monitoring solution will enable them to identify and eradicate sensitive data from their environments and ensure no further leakage of sensitive cardholder data via applications with debug logging turned on or users inadvertently compiling manual spread sheets. In these cases, retailers are able to remove the vast majority of their PCI DSS challenge, enabling them to focus on what they were originally in

4 business to do sell their goods and services. When considering whether to implement a P2PE solution, every retailer will compile a list of pro s and cons to the solution here we have listed a couple of the pros and cons that we feel are pivotal in the decision making process: Pro # 1: PCI DSS Simplified Once the decision has been made to roll out a P2PE solution in tandem with a cardholder data discovery solution, the PCI DSS compliance validation process is significantly simplified and is generally completed with relatively few challenges. To estimate how much this type of solution will simplify your PCI DSS, we would recommend viewing your current environment as being largely in scope and then working out (at a high level) what controls would need to be put in place on each system within that environment; for example, File Integrity Monitoring, Log Monitoring, Vulnerability Scanning, Key Management to name a few. Additionally, assigning a cost to those controls (and the personnel required to manage those controls) will also be fairly revealing to the decision makers. What will quickly become apparent is that in the typical retail environment, PCI DSS compliance can become an arduous, expensive project very easily. A P2PE certified solution will remove the vast majority of the above systems from your PCI scope, thereby meaning a far lesser challenging journey to achieve compliance, and in most cases, a lot less expensive. Pro # 2: Reduced Risk The P2PE certification is designed to be a significant undertaking for any solution provider to achieve. The intention is to make sure that every part of the solution has been assessed in detail by a P2PE QSA to ensure that the final solution that merchants use is effective at protecting the payment card data to the level stipulated in the P2PE standard. Such solutions will ensure that PCI DSS Compliance is achieved far more easily, as well as delivering tangible risk reduction. With a P2PE certified solution, the cardholder data is fully encrypted with the ability to decrypt the data being possibly only within a very secure part of the solution, or by the managed service provider. Without merchant access to that unencrypted data, the risk of having the data exposed/stolen from the merchant systems is significantly reduced. Con # 1: P2PE Solution Selection There has been significant attention placed on the P2PE standard and the benefits it provides to merchants. As a result there are a large number of solution providers pitching their products as P2PE solutions to the market. As the P2PE standard has only recently been released, there is currently not a single solution certified as P2PE compliant, anywhere, globally! So caution should be exercised in distilling the features and benefits of proposed P2PE compliant solutions. We have already seen a number of early adopter retailers falling for the glossy marketing hype of solutions purporting to be implementing best practice and P2PE, that on closer inspection, have been demonstrated to be very far from delivering the benefits that a P2PE solution will provide in terms of improved security with risk and PCI DSS scope reduction. It goes without saying, there are unscrupulous vendors out there (as there are in any industry) and as retailers realise P2PE is the way forward and the market surges for solutions, so too will these vendors peddle their wares. We would recommend that if you are considering using a P2PE solution, that you only consider solutions that have been certified and listed as certified by the PCI SSC. There will be quite a few solutions certified in the near future to provide you with choice. Do be cautious, speak with your peers, discuss with your Acquirer and by all means feel free to reach out to us for an independent opinion. Con # 2: Integration with Existing Systems P2PE certified solutions are designed to reduce your risk and simplify your PCI challenges. In the process of achieving this level of security, there will undoubtedly be changes in the way that they interact with existing solutions in the field and it should be expected that some processes and systems may need to change, or be updated, along with the payment solution in order to provide the retailers with the secure, effective payment solution that they require and depend on. Con # 3: Vendor Lock In An argument that is often put forward when considering P2PE solutions is the fact that the vast majority of these solutions are run as managed services and it seems that retailers are less than eager to tie themselves into a long term service contract with a managed service provider for the following reasons: It reduces the merchant flexibility on changing supplier and technology. There is inherent risk in relying on a single service provider. Understandably these are important considerations when looking at an emerging technology; however, it could be argued that investing time in selecting the right partner up front will ensure that a retailer selects the right solution for their business.

5 Additionally, there are solutions being proposed that offer merchants an in-house P2PE solution that may be deployed and maintained within the merchant environment. The jury at the PCI SSC is currently sitting on the fence as to what impact this has on the controls and de-scoping of the environment. Thus we strongly suggest treading with caution in these scenarios. We re waiting for definitive guidance from the PCI SSC regarding internally managed P2PE solution. Summary P2PE solutions most definitely offer significant benefits in reducing risk and PCI DSS scope (and associated costs) while improving security of cardholder data. We highly recommend investing the time and effort in evaluating how a P2PE solution could help your business. There are definitely some areas that may raise concerns for some retailers as indicated above; however, having a thorough understanding of the technology behind some of the solutions currently working towards P2PE certification, we are confident that they will improve the security and risk posture of the vast majority of merchants that buy into them. For more information on P2PE and the pros and cons of the various solutions, please get in touch with Foregenix at Thanks for reading Thanks for taking the time to read our newsletter. Should you have any questions about the contents please contact either your dedicated PCI Manager or any member of the team on or paymentsecurity@worldpay.com. If you would like to read any of the previous editions of the newsletter, you can find the full back catalogue on our website at: