 |
|
| |
| Security news from FortConsult |
| |
| Content |
1. American PCI legislation heralds new era in Europe
2. Smart card on the way to amending the PCI standard
3. New standard for PCI scanning alters the process
4. Simple PCI solutions are often the best and the cheapest
|
| |
| 1. American PCI legislation heralds new era in Europe |
Today, no specific legislation exists in the PCI area in Denmark. We only have the PCI standard, which is not a law, but a voluntary agreement between two parties subject to the rules of general contract law. This has hitherto also been the case in the USA, but here there are new legislative regulations on credit card security on the way, and this development will almost certainly spread to the EU and Denmark in the future. Among other things, new rules of law on data leakage are sure to be adopted in Europe. |
|
| |
The American rules
The new American rules of law mean that it has been decided to include rules on the protection of credit cards in legislation in Nevada, Minnesota and most recently Washington, and it is likely that more states will follow in due course. |
|
| |
| The latest legislation in Washington came into force on 1 July 2010 and means that American businesses are now forced to comply with certain rules in terms of credit cards. The aim of the law is that an issuing bank will be able to receive compensation for costs incurred in issuing new cards if a shop with more than 6 million transactions or card processes loses card data because the data was not adequately protected. In the state of Nevada, a different approach has been taken, whereby new legislation requires that the business community must comply with the PCI standard. |
|
| |
What will it mean for the EU?
In the EU there is of course a great deal of interest as to whether, as in the USA, PCI-like requirements will be incorporated at national or European level. Credit card companies would rather not see legislation being introduced, but would prefer to be able to define and administrate the rules themselves. Currently, there is nothing to suggest that legislation on the protection of credit cards will be introduced in the foreseeable future. On the other hand, in Europe there has generally speaking been a tradition for incorporating consumer protection into legislation, and therefore in the not too distant future we can expect to see several new laws dealing with payment security in the EU. |
|
| |
| In conjunction with the SEPA directive, which will primarily be implemented in the Euro member states, a requirement will be specified this year, for example, that payments must take place by means of a smart card. Unfortunately, the EU rules say nothing about the sanctions that will be imposed should the requirement concerning smart card payment not be complied with. |
|
| |
Rules on data leakage on the way in the EU
When it comes to consumer protection in connection with data leakage, rules of law already exist in the area in the USA. These rules mean that if you lose data, you are obliged to go public and account for this data loss. |
|
| |
| Similar rules are also on the way to being incorporated into EU legislation, and the United Kingdom, for example, has already implemented sanctions in connection with data loss in its national legislation. |
|
| |
| Since 6 April this year, the Information Commissioner's Office (ICO) has had the authority to issue fines and orders with respect to data loss. Fines today can be as high as £500,000, whereas prior to 6 April the maximum figure was £6,000. The rules were introduced following a scandal in which Customs & Excise lost information on 25 million British nationals because this information was stored on a CD which got lost in the post. |
|
| |
| Marks & Spencer was also ordered to encrypt all its laptop computers after losing information about 26,000 employees because a computer was stolen from an employee. |
|
| |
| Unlike the American rules, however, the British rules do not require that companies go public about all incidences of data loss. |
|
| |
| At EU level, the so-called Digital Agenda is also on the way. It has seven main initiatives which mean that rules will soon be introduced specifying that Internet service providers will have to publicise incidences in which they lose personal data. The rules will probably subsequently be applied more widely, such that they will also end up applying to other types of business enterprise. |
|
| |
Rules will bolster credit card security in the EU and in Denmark
In terms of credit card security in the EU and Denmark, FortConsult believes that the new EU rules of law represent a definite improvement. |
|
| |
| First of all, they will be of benefit to both businesses and consumers, because there will be greater transparency as we begin to get more information about the extent of data loss in Europe if businesses are forced to go public. It will also make it much clearer to businesses why it is so important to have credit card security under control. |
|
| |
| At the same time, the rules will create a much more tangible incentive amongst businesses to protect the data as effectively as possible, since their reputations will suffer if an incidence of data loss forces them to go public, in addition to which they may end up facing economic sanctions. |
| |
| 2. Smart card on the way to amending the PCI standard |
The smart card, or chip card, is on the cusp of replacing cards with magnetic stripes in the USA, and at the same time it is the PCI Council's intention that the PCI standard should be adapted to the smart card. This is good news for Denmark and the rest of Europe, where a wish to amend the PCI standard has long been on the agenda, because the smart card is much more widespread in Europe than cards with magnetic stripes. |
|
| |
PCI standard is based on cards with magnetic stripes
The PCI standard, which we use in Europe, and thus in Denmark, stems from the USA. The standard is therefore also based on protecting credit cards with magnetic stripes, since this is the type of card that is by far the most common in the USA. |
|
| |
| The PCI standard is without doubt justified by the large volume of card numbers that are copied and misused all over the world. For several decades it has been possible to copy a magnetic stripe from a card and then transfer this content to another card. However, it is only within the last 5-10 years that criminals have focused to a major extent on fraud by means of technology and the Internet, since all payment systems are now either directly or indirectly connected to the Internet. Since 2004 the PCI Council has therefore focused on developing the PCI standard so that card numbers are protected during storage and when payment takes place. |
|
| |
The smart card is a step closer to secure technology
In Denmark and the rest of Europe, however, we have more or less replaced credit cards with magnetic stripes with the much more secure smart card (EMV). Since we use the same PCI standard as the USA, however, we still have to comply with the same 240 security provisions as American businesses, because the rules do not take into account the fact that European cards are a lot more secure. |
|
| |
| This means that today's PCI standard does not actually reflect conditions in Europe, because it does not take into account the greater security inherent in a smart card. |
|
| |
| While the PCI standard is actually designed to enhance security in what is basically an insecure technology - i.e. credit cards with magnetic stripes - in Europe we have chosen to focus on having technology which is fundamentally secure, in the form of the smart card. |
|
| |
| As a consequence, many of the controls that are in the PCI standard today are of less importance in Europe seen from a security point of view. They are therefore reduced to a sort of compliance check. |
|
| |
| As a result, there has long been a wish on many fronts for the USA to introduce EMV cards in order to boost security, at the same time as which the PCI standard can then be brought up to date and reflect the level of security in Europe. |
|
| |
The advantages of EMV
The advantage of EMV in overall terms is that it contains an integrated circuit which is involved in the actual transaction. The card contains a digital ID, which the card uses to prove its authenticity as part of the transaction. In newer cards, security is further enhanced through the use of Dynamic Data Authentification (DDA), which adds a "random challenge/response" to the authorisation process. |
|
| |
| During the transaction process the terminal sends transaction information and a random number to the smart card. The chip uses an internal private key to generate a unique digital signature for the specific transaction. The chip's transaction signature is checked using a public key by the terminal and the network as part of the authorisation process. Only a genuine chip can provide a valid signature on the basis of the data it receives, and therefore the DDA process confirms that the card is both genuine and physically present. The chip in the card calculates the response internally, thus ensuring that the important information does not leave the chip, which means that information cannot be copied as in the case of a card with a magnetic stripe. |
|
| |
| EMV has represented a robust safeguard against attack for many years, and the technology is still regarded as being relatively secure today. In a European perspective, however, the fact that our cards are still equipped with a magnetic stripe so that they can be used outside the EU represents a problem. The magnetic stripe can be copied and used to make copies of cards which can be used fraudulently abroad. This means, among other things, that the PCI rules impose a great expense on many businesses because of the risk of theft from insecure magnetic stripe systems (and through e-commerce). |
|
| |
| FortConsult has conducted many audits throughout the past six years. The majority have taken place in Europe, but we have also conducted audits in the USA, China, Russia, Canada and several other countries outside Europe. Our experience clearly confirms that EMV significantly restricts the chance of stealing data. |
|
| |
| We thus regard it as very positive that there are signs that there is a wish to use EMV in the USA and that it is the PCI Council's intention that the forthcoming version of the PCI standard will try to adapt the rules to the smart card - although we do not yet know how. This will be of benefit to both Danish and other businesses that have implemented EMV, because the smart card deals with the root of the problem: that magnetic stripe technology is a fundamentally insecure system. |
|
| |
WalMart chooses the smart card
In the USA the supermarket chain WalMart has recently introduced payment by smart card and PIN in order to improve security. All WalMart's hardware is already primed to use EMV technology and the company is currently working on completing the software. |
|
| |
| Ellen Richey, Chief Enterprise Risk Officer at Visa, USA, has commented on the problem in the USA. In this regard, she has remarked that it is not a question of whether the USA will begin to use chips or not, but rather a question of when and how. At the same time, Richey has said that Visa believes that chip technology increases security and makes it both easier and faster to effect transactions for customers and businesses, and that Visa is therefore in full support of this technology. |
|
| |
| However, there is still a long way to go before the smart card becomes the dominant type of credit card in the USA, but as it becomes more common, it is hoped that the PCI standard will be adapted to the new and more secure reality in the USA and thereby also in Europe. |
|
| |
| The smart card does not solve the problem of security with respect to online payment, however, where the card number, expiry date and card verification value or code are still used. Hence in this regard the same challenges will remain in terms of creating security with respect to the information on the card, although in this case work on new and more secure solutions is ongoing - but this lies somewhat further out in the future. |
| |
| 3. New standard for PCI scanning alters the process |
Your ASV (Approved Scanning Vendor) will in future begin to put other questions to you and do a number of other things that you are not used to when carrying out PCI scanning. This is due to the fact that the PCI Council has amended the rules in the section of the PCI standard concerning scanning. New requirements will be specified with respect to the services of ASVs. |
|
| |
ASVs to become more involved in the process
The new rules do not make a huge difference to this type of scanning. It is still a scan which in overall terms is designed to reveal vulnerabilities with some focus on web applications, but the process concerning the scan has been fundamentally altered. |
|
| |
| Although it has always been the intention in PCI scanning rules that the ASV is to help the customer with the scan, the rules hitherto have actually made it possible for an enterprise to take complete charge of the entire process involving an ASV scanning. This has meant that an ASV has in reality been able to make a web interface available for its customers, who have then been able to enter information and IP addresses themselves and carry out scanning on their own. |
|
| |
| The problem with this method is that a number of PCI scans have been carried out erroneously because the ASV has not checked that the information that the customer enters in the web interface is the correct and necessary information. The previous solution has thus led to the risk of operating errors because in many cases ASVs have told their customers that a scan can be effected by means of just a few clicks in a web interface and nothing else. There is thus in principle no guarantee that the business is in fact secure, even though it may have passed the PCI scanning on paper, which can easily reduce the check to a sort of pseudo scanning. This means that there can be a great difference in the level of security that PCI scanning should provide - and which the PCI Council has intended - and the level of security which businesses actually achieve. |
|
| |
| This type of self-service is a method that is typically seen practised by ASVs which primarily compete on price and is a method we at FortConsult have always been critical of, and which we have therefore never practised as an ASV. |
|
| |
| We have always argued that the ASV should be an active part of the process. We are therefore also very satisfied to see that the new rules mean that the ASV is involved in the scanning process to a greater extent than stipulated by the previous rules. This will help to verify that the actual security level follows the PCI standard, which is of course in the best interests of the customers. |
|
| |
Consequences of the new rules
As a purchaser of PCI scanning, one of the effects of the new procedures will be that your ASV will in future check that the information you enter is correct, that scanning takes place correctly and that the scanning report is accurate. |
|
| |
| The new rules also specifically point out that the ASV must always double-check scanning results that are thought to contain false positives. |
|
| |
| The enterprise must examine the supposed false positives itself and explain why they only represent an error in the scanning mechanism and not a real vulnerability. This also applies if a false positive is discovered in two consecutive quarters without the configuration having been altered. This will of course make the process more demanding than before, and many will find it a source of irritation. However, based on a principle of prudence, we believe that the tightening up of the rules makes good sense because something that looks like a false positive occasionally actually proves to be a vulnerability. |
|
| |
More focus on web applications
The new rules also mean that the web application test has received higher priority, a development that we particularly applaud. This area was almost completely overlooked in the previous rules, despite the fact that the majority of break-ins today take place via vulnerabilities in web applications. There is still a long way to go before a dedicated web application test is specified, but businesses should also carry out this type of test themselves in connection with chapter six of the PCI standard. In practice, however, there are many small businesses that do not carry out the checks in accordance with chapter six and therefore make do with PCI scanning (and this will of course make them noncompliant, since they do not carry out all the checks). |
|
| |
| In addition, the rules also include help for situations in which IDS/IPS is used, when elements of the solutions are outsourced, as well as in many other situations that a customer might find itself in its day-to-day operations and which have not previously been clearly described. |
|
| |
New rules boost security levels
The new rules have been underway for a long time and have been subject to a lot of work by many different stakeholders. It has also been necessary to work on these rules, since they basically build on the MasterCard standard, which is almost 10 years old, and which was originally not coupled to the PCI standard (which is based on the Visa CISP standard). |
|
| |
| In our opinion, previous PCI scanning has not provided appreciable security for those enterprises for which a scan was carried out. However, as mentioned earlier, it has resulted in an approval of security on paper, and in the case of many businesses PCI scanning has been the only process carried out by an external supplier in order to validate compliance with the PCI standard. |
|
| |
| Therefore the new procedures are, in the opinion of FortConsult, a step in the right direction towards better security, because the previous rules were unable to ensure that the intention of the PCI Council's rules was backed up to a sufficient extent. We therefore also hope that the wording of the new rules will be clear enough to weed out a number of ASVs operating in the industry. Some ASVs have hitherto exploited the shortcomings of the former set of rules to offer discount scanning, which has unfortunately contributed to the dilution of the quality of PCI scanning. These ASVs have therefore undermined both the standard and, at the end of the day, also the security of their customers. |
|
| |
| The new rules will therefore probably mean that low-price scanning will become more expensive - unless low-price ASVs are able to find a loophole in the PCI Council's rules and intentions. At FortConsult we do not expect to make any amendments to the price of ASV scanning, since we have always been involved in the scanning process in order to ensure that scanning for our customers is carried out on the basis of the correct procedures. |
|
| |
| At present, ASVs can choose whether or not to follow the new or the former rules, but from 1 September all ASVs must comply with the new rules. |
| |
| 4. Simple PCI solutions are often the best and the cheapest |
When we speak at PCI conferences around the world, we are often contacted afterwards by hardware and software vendors that want us to look at their PCI security solutions in more detail and recommend them to the customers for whom we are a QSA (Qualified Security Assessor). This is due to the fact that many of the hardware and software vendors have become aware of the opportunities available in the PCI area, and in many cases QSAs also operate a profitable business selling solutions alongside their core business of conducting audits. Mixing the role of QSA and vendor is not, however, without problems, because there is a tendency for customers to end up buying PCI solutions that are excessive and overly complex in relation to their actual needs. |
|
| |
| In our opinion, it is most important for a QSA to retain its independence so that the customers always know that they can trust the advice given to them by the QSA about what they have to alter in their security system in order to comply with the PCI standard. If, like a car mechanic, you both point out the problem and sell the solution to the same problem, you risk losing credibility, and we therefore usually politely decline the opportunity to work with these vendors. |
|
| |
Many businesses overspend on PCI solutions
As a customer of a QSA the problem is often that you are not always aware of which solution is required to ensure compliance with the PCI standard. We therefore see a tendency for many businesses to buy over the odds in excessively advanced solutions in the PCI area. This is due to the fact that customers do not always know how to fulfil the concrete requirements of the PCI standard, but also that many customers have been overwhelmed by the many functions that typically make up comprehensive full-line solutions. |
|
| |
| The problem with many of the advanced functions is that they are based on standard security products which are typically not designed to meet the requirements of the PCI standard, but instead are produced to cover many different types of security needs. Of course, many of the products can be adapted so that they cover a particular area of the PCI standard, such as the monitoring of log files or ID management. However, we often see that a business is often surprised that the advanced solution they have invested in does not in fact comply with all the PCI rules, but has to be supplemented by one or more other solutions. This often makes it difficult for businesses to assess and administrate their PCI solutions, and they can then easily end up in a situation in which their PCI solution is never properly implemented. In many cases we see very expensive and advanced solutions that are not properly implemented in the organisation and therefore do not function as they should. |
|
| |
| Actually, however, it need not be so difficult. |
|
| |
Homemade solutions go a long way
Many of our customers have developed their own solutions which are simple and which function very well. They are certified by us as the QSA, and they are also typically very well integrated into the company's other processes and existing software. |
|
| |
| In other words, the trick is to find a solution that fulfils the needs you actually have in terms of PCI, and then make sure that the solution is fully implemented into your day-to-day operations. This often results in both the most secure and cost-effective solution and a process that makes it possible to comply with the PCI standard in the most straightforward manner. |
|
| |
| In the next newsletter you can read more about the new PCI standard, which is due to come into force on 1 January 2011. |
|
| |
Best regards
Lars Syberg
PCI Product Manager
FortConsult A/S |
