Tag: PCI

Anniversary Of The EMV Deadline

credit cards - @SeniorDBA

Today we celebrate the one-year anniversary of the EMV liability shift on point-of-sale systems imposed by the credit card companies. Credit card companies have declared limited success by showing credit card fraud from Point-Of-Sale (POS) transactions are down from last year, but card-not-present fraud transactions are up from last year.

I have written about how the rollout of new cards to support EMV mandates has been less that effective, and now other people are noting the same issues. This article by Sara Peters talks about the state of the current EMV mandates.

According to a report by The Strawhecker Group (TSG) released last week, only 44% of card-accepting merchants have EMV terminals. What’s worse, only 29% of card-accepting merchants can actually accept EMV chip-based transactions.

“You’re seeing a lot of pieces of paper over the chip readers,” says Jared Drieling, business intelligence manager of TSG. Paper, or maybe tape or stickers, he says.  

A Pattern-Based Approach to Capturing Compliance Requirements

Ensuring compliance to laws, regulations, and standards in a constantly changing business environment is a major challenge for companies. So, organizations have an increasing need for systematic approaches to manage compliance throughout the business process life cycle. A new pattern-based approach, including a toolset, captures and manages business process compliance requirements. This approach is a first step toward comprehensive management of business process compliance and acts as a springboard to fully automate and continuously audit business processes.

meeting

An article by Oktay Turetken, Amal Elgammal, Willem-Jan van den Heuvel, and Michael P. Papazoglou will help you understand the subject.

A new pattern-based framework captures and manages business process compliance requirements by acting as a springboard to fully automate and continuously audit business processes.

In today’s IT-centric business environment, managing compliance withregulations, laws, and other imperatives has become critical for success. Directives govern almost every aspect of running a business, requiring organizations to provide assurances to regulators, stakeholders, customers, and business partners. Assuring compliance across an enterprise necessitates a holistic, tractable, and disciplined approach for defining an integrated, consistent set of process- and system-level internal controls. Internal controls in particular should help an organization achieve its objectives regarding effective and efficient operations; reliable internal and external reporting; and compliance with applicable laws, regulations, and internal policies.

    1. A series of large corporate scandals in the early 2000s led to various laws and regulations, such as the Sarbanes–Oxley Act (SOX) and Basel I–III. To address these regulatory measures, many companies have taken steps to integrate controls in their business processes (BPs) and enterprise systems. However, most of these attempts have led to highly tailored, isolated solutions involving hardcoded controls implementing requirements across multiple systems. This scattered structure impedes adaptation to the constantly changing business environment and growing body of laws, regulations, and standards.
    2. As a first step toward comprehensive management of BP compliance, we’ve developed a pattern-based approach that captures and manages BP compliance requirements. This approach acts as a springboard to fully automate and continuously audit BPs. The Challenges of BP Compliance Mainstream approaches to managing internal controls in BPs are fragmented and focus mainly on retrospective reporting.
    3. However, this can lead to reactive risk prevention, which often incurs costly penalties. Existing tools, such as Oracle GRC (Governance, Risk, and Compliance) Accelerators and SAP BusinessObjects GRC solutions, offer solutions only for monolithic applications (such as enterprise resource planning systems). This severely restricts these solutions’ usability for modern BPs and supporting enterprise systems, which are highly distributed and interconnected.

POS Malware Leads to Data Beach

If you are working in the retail sector, you understand there is specific data that is the target of hackers and thieves: Credit Card Data. Specifically the data known as CHD. As a database administrator, you have to be prepared to react to the threat with increased security, as well as react to actual data or system breeches with a response.

pos-network

What do you do when you find a breach?

If you, or your technical team, identify POS system malware on your retail systems that processes, transmits, or stores credit card data take the following actions immediately:

  1. Inform your merchant bank. The sooner the bank can report the incident to the card associations, the better.
  2. Request a dial-up terminal from your merchant bank. The bank can usually get a terminal to you and up and running within 24 hours.
  3. Stop all payment-card processing on the affected systems.a. If the malware is found on your POS terminals, stop processing payment-card transactions on those terminals.

    b. If the malware is found on the BOH server, stop processing payment-card transactions on all POS terminals.

    c. You can continue to input orders into the system for purposes of inventory tracking and business analytics, but process payment card transactions on stand-alone, dial-up terminals. While temporarily inconvenient, the dial-up terminal with a phone-line connection to the bank is a secure method to process payments.

  4. Contact your local U.S. Secret Service (USSS) field office and ask to speak to the Electronic Crimes Special Agent Program (ECSAP). Payment card compromises fall within the ECSAP’s jurisdiction.
  5. Call a PCI forensic investigator (PFI).
  6. Take notes regarding exactly what occurred, when the malware was identified, how the malware was identified and any actions that have taken place since the initial discovery. This information will be valuable to the Secret Service and PFI.

Stop Using Windows XP

Microsoft will be ending extended support for Windows XP on April 8, 2014.  After supporting this version of the Microsoft operating system for 12 and a half years, it has reached end of life. Microsoft has gone out of their way to extend support on several occasions, but the deadline this  year looks like the final one. This means Microsoft will not be releasing any new security updates past the April 8th deadline.

winxp-end-of-life

Most serious technology experts will tell you it’s well past time to get rid of Windows XP and upgrade to a newer, safer operating system. It can be tough to explain, so keep I’ll give you a few real world reasons upgrade:

  1. The technology is old and security techniques and technologies have changed. Newer operating systems are much more secure.
  2. Windows XP will no longer get security patches from Microsoft. Once there is a vulnerability in the wild, you will have to address any security issues without any help from Microsoft
  3. More and more software companies no longer make supported versions of their software that will work correctly on Windows XP
  4. There are several options today, including upgraded versions of Windows (We have seen Vista, Windows 7, Windows 8 and now Windows 8.1 since Windows XP was originally released) as well as Apple Mac, Linux, etc.

Windows XP is statistically more dangerous than any other OS in the market, and there is more malware developed for it than any other operating system. It also has security holes that Microsoft can’t allocate the resources to fix. It’s basically the biggest target out there and support is running out fast. Every day a user continues to use XP is a day closer to a malware attack, rootkit, or keylogger that goes unnoticed. If you are still running Windows XP, you are asking to be hacked. As a business leader you should hang your head in shame that you haven’t addressed this issue.

If you are audited, maybe from a PCI auditor, your networks will be scanned each quarter. When your auditor finds Windows XP on your corporate network, especially if it is in the cardholder environment (where credit cards are processed, transmitted, or stored) and there is just one unaddressed high-level vulnerability, you will fail the scan.

What is interesting is there are reports that banks are still using Windows XP to run several version of ATMs.

(Reuters) – Banks around the world, consumed with meeting more stringent capital regulations, will miss a deadline to upgrade outdated software for automated teller machines (ATMs) and face additional costs to Microsoft to keep them secure.

The U.S. software company first warned that it was planning to end support for Windows XP in 2007, but only one-third of the world’s 2.2 million ATMs which use the system will have been upgraded to a new platform, such as Windows 7 by the April deadline, according to NCR, one of the biggest ATM makers.

There is an interesting story from Tim Greene on InfoWorld.

If you continue to use Windows XP:

Assume you’ve been breached – Admitting this is half the battle. Operating under the assumption you’ve been compromised allows companies to better prepare for the inevitable and react quicker.

Conduct a risk assessment – Identify which systems in your retail environment process and store sensitive data, and if that data is vulnerable to an attack.

Create complex passwords – Use complex passwords (at least seven characters, including at least one number, one capital letter and one special character) on remote administration utilities.

Review logs – Remote connection logs, firewall logs and Windows Security Event logs often highlight hacker transgression – allowing you to detect an incident before it’s too late.

Pen test – Identify and remediate security weaknesses before the criminals spot them.

Run advanced anti-malware and DLP defenses – Consider technology like web security gateway and data loss prevention, which can be used to scan outgoing HTTP and HTTPS traffic that could identify when attackers are siphoning out cardholder data.

Are you still using Windows XP? What are you doing to upgrade to a different operating system before the April 8th deadline?