PCI council gives up, dumbs down PCI DSS for small business The Payment Card Industry Security Standards Council has created a taskforce charged with improving security among small businesses. The prodigious task will be tackled by encouraging small businesses to adopt security best practice and simplified Payment Card Industry Data Security Standards (PCI DSS). Barclaycard payment …
""They usually have very limited resources and technical expertise at their disposal, and often lack the necessary tools, information and education to recover and prevent them."
Based on half-a-dozen - not many, I know, but fairly typical - small to medium businesses in the UK over the last few years, IT security is not the weakest link in their payment security chain. It's never wonderful, for reasons we all know, but compared with
a) the company that entered card details into a shared spreadsheet for processing at the end of each shift, but just in case anyone forgot it, put the spreadsheet password on the notice board;
b) the company where only two people were allowed to use the card machine so everyone else wrote things on Post-it notes;
c) the company where customers were talked through giving their card details over the phone so staff could enter details into website if customers couldnt use it ..
then in some cases the IT security is wonderful in comparison.
Or the major organisation who's retail outlets used to photocopy the front and back of customer's credit cards and put it in their file ......I still wake up with cold sweats over that one.
I do quite a lot of work doing due dilligence on SMEs and there's an even split between folks who apply common sense and apply best practice to the best of their abilities and those who think it all involves too much braining ....
"c) the company where customers were talked through giving their card details over the phone so staff could enter details into website if customers couldnt use it ."
This isn't a major issue if done securely, many call centres do something similar. As long as there is no call recording or the recording system they have is PCI compliant and the connection to the web server is fully secure and no 3D Secure details are passed over.
"Is the notebook that the agent takes away at the end of the shift PCI compliant?"
Since when has a call centre agent ever used a notebook which they take home with them. Secondly it doesn't need to be, they are not storing any card details on there. They are typing details onto a secure website.
As long as the notebook falls under the company security policies for passwords, security systems etc then the individual device doesn't have a compliance requirement.
"Since when has a call centre agent ever used a notebook which they take home with them."
Any time they want to steal customer data!!!
Is the concept of a fraudulent employee too difficult to grasp?
Edited to add:
Assuming both comments to which I replied are from the same A/C who has some responsibility for back office operations I find this rather worrying. We're often told that insiders are a major source of security issues and yet these comments display an absurd degree of complacency and/or lack of imagination. If this reflects supervisory thinking it's not surprising that data goes AWOL.
when i left a company i cleared out my desk and found I had taken my scrap paperwork from many years and found old note books & postit notes with cc numbers from when i was a call agent (so long ago the cards would have been out of date) It was shredded and burned as i do with my own personal info.
I could have taken them home any time if i was that way inclined. had access to name address, security questions, card number expiry, cvv everything needed.
when i left he company was "trying" to impose a policy of not writing down the numbers but keeping an eye on all agents and breaking old habits was hard.
I used to work for a firm.
when we looked in to PCI DSS
1) decided that even with the required technical knowledge in house to keep the data secure and hosting it in our PCI DSS compliant data centres. it was still a better option to outsource the card management due to the potential liability if card date was ever compromised.
2) An internal audit found accounts kept a record of the company credit card details in a non password protected spreadsheet (folder was only available to Finance OU) this was immediately stopped and lots of IT's time taken to remove the data and from backups. but It was interesting to see every ones credit limits ;-)
3) when building a new PABX had to modify procedures due to recorded voice and screen capture when credit card was given to an agent and had to stop taking cvv number in case the card number was recorded. all recordings needed to be encrypted and audit logs of access to recordings.
4) agents were banned from writing down CC numbers on paper.
Knowing what i now do from working with people to resolve these issues and write new policies and procedures i Doubt that many companies that you talk to over the phone and give CC information to are compliant just because the calls are recorded and they ask for the cvv number. before you even go in to storage requirements.
The PCI DSS procedure, audit process and general bullying is a complete pain for a small business. You get threatening letters from them, phone harrassment and endless emails, all ending up in spending a day a year filling in a ridiculous questionnaire about which, I am sure, most people lie through their teeth just to get rid of the problem.
It was such a pain that I got rid of the in-house credit card acceptance system and used an on-line provider instead - voila, the problem has gone away and I took enormous pleasure in writing the eff-you letters to my previous merchant account provider. This is presumably the background of the whole ponderous apparatus - it couldn't have been designed for any other purpose than semi-malicious intent.
"It was such a pain that I got rid of the in-house credit card acceptance system and used an on-line provider instead - voila, the problem has gone away"
"This is presumably the background of the whole ponderous apparatus"
Bingo, that is it . They don't want businesses to have any storage of credit card details and so they would much prefer it to be outsourced and all storage done off-site.
This is understandable in some ways as a lot of businesses will struggle with the time and expense of a properly secure system, on the other hand a large off-site compny is a much, much more attractive target for a 'hacking' group to spend their resources trying to break (unlike the small business which are not a big enough target). However as a small business you have a lot less of a reputation problem if your off-site provider is breached as it will make the national news and loads of clients will be affected, most bigger than yourself. If, as an SME, you get breached and you have to personally contact your customers to let them know it was your due to your own security it could finish off your business - especially as your card processing is likely to be suspended or even withdrawn.
So basically it's a clash of security vs. ease of use. And for the small business owner, it seems the minimum level of security is PASSING the minimum comfort level these business owners will tolerate. And since transactions are increasingly cashless, dropping out together usually isn't an option leaving them with a system they MUST use but CAN'T use.
It's not just IT security at small and medium businesses that is the problem.
I was doing some network work for a small company in my local area. While working on an issue in their finance department one employee got credit card details (including 3 digit security code) from someone over the phone and wrote the details on a post it note. This person then went up to the payment machine found it was in use and stuck the post it note next to the machine and walked back to the phone to continue speaking with the customer.
My experience working with many high street retailers is that security gets in the way of profit and other ‘cool’ retail innovations. Tills, often using Windows XP unpatched since day they were installed, open to the internet and no AV. The same simple generic passwords used across branches because it’s easier when training the here today gone tomorrow staff. The industry is shockingly awful at security and the PCI standards are blatantly ignored – what’s worst, the same said companies have passed the PCI audit. And me, well I’m just blue in the face.
This is but a dip in the water - they've just released the DSS 3.1 which mandates the disabling of SSL 3.0 (yeah, fine) or (uh-oh) TLS 1.0 Of course, nobody has had a cursory glance at the many key business systems that do not function with TLS 1.1 or upwards.
Some of them you might even have heard of! Oh, hi Microsoft, fancy updating your older, actively supported versions of Exchange or SQL Server any time soon?
The forms we have to fill in are full of questions that simply don't apply. We don't actually store card details anywhere on any of our networks although our servers do act as a gateway through to payment processors. We have to have the PCIDSS, but all measures to do with storing them are simply not applicable.
I always love the requests from PCI testers to whitelist their IP ranges so they can do their security tests. Amusingly they never seem to get the irony of asking us to effectively disable our clients security mechanisms to allow the PCI tester to check the security is good enough. Especially annoying when the client in question has nothing PCI related on their server or machines (payment terminal talking direct to the bank, and online payments handled via 3rd party processor), yet they still have to be tested.
Obviously you don't get it, Keith. An IPS or WAF protection cannot and most definitely SHOULD NOT EVER be used as a solution to mask shit code, by shit coders.
Sure, WAFs are great to provide 'additional' protection, or virtual patching, but they can be turned off, leaving bad code exposed. You might think, "OH, but those are edge scenarios" - they're not. Waaaaa .... I can't push JS to my CMS cause the WAF is blocking it. "Sorry, did you tell me about that IP which should be whitelisted or do you want me to just disable the WAF entirely??"
CODE has be able to stand on its own. You can't say, "Hey, you have a SQL injection vuln, we'll just use the WAF ..... CAUSE YOU STILL HAVE A SQL INJECTION VULN!
Relying on IPS or WAF to mask a dev's lack of knowledge means 2 people should be fired, the dev and Security Engineer that suggested it!
Sorry Keith, you're fired.
How can we expect the SMB's to follow PCI, when the big boys do not even tag along.
I work for what is possibly the biggest bank in the world. The Servers in our authentication datacenters often get retired and sold off to Computer Recycling companies. Before the servers leave site they get a single pass format. That's it !!!.
Ive raised it with management till im blue in the face, no one cares.
One day... someone will recover one of those arrays and it will come back to bite them hard.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
