Monthly Archives: January 2015

PCI-DSS 3.0: Translating new credit card data security rules

Merchants that process, store, or transmit credit card data are now required to be compliant with version 3.0 of the PCI Data Security Standard (PCI-DSS).

There are a small number of requirements that are considered best practice until July 1, 2015. After which, they become mandatory.

Now you could search through the rather substantial standard to find the requirements in question, but I’ve saved you the trouble.

The PCI-DSS says:

“8.5.1 Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

To prevent the compromise of multiple customers through the use of a single set of credentials, vendors with remote access accounts to customer environments should use a different authentication credential for each customer.”

In short: Merchants need to hold their service providers accountable!

The PCI-DSS says:

“9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. For example, they will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. Criminals will also try to add ‘skimming’ components to the outside of devices, which are designed to capture payment card details before they even enter the device.”

In short: Make sure your physical POS hardware is secure!

The PCI-DSS says:

“11.3 Implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results

The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks.”

In short: Test and verify the effectiveness of your network segmentation!

The PCI-DSS says:

“12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

This requirement applies when the entity being assessed is a service provider. It is intended to promote a consistent level of understanding between service providers and their customers about their applicable PCI DSS responsibilities. The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it obtains from its clients. The method by which the service provider provides written acknowledgment should be agreed between the provider and their customers.”

In short: Update your contracts to include this acknowledgement!

If you need to implement any or all of these requirements, do it now. Do you really want to wait until June 30, 2015?

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

RFID Skimming Hits Close To Home

January is typically the time of year when most of us are scared to look at our bank and credit card statements. It doesn’t help that when we do, we find fraudulent transactions or, even worse, our accounts are maxed out or drained completely of funds.

This happened to some 400 people in Nova Scotia, Canada this past December. It is believed they were victims of RFID Skimming.

RFID security breaches are nothing new, but it has typically happened in bigger cities. Atlantic Canadians were caught completely off-guard, including a close family member of yours truly.

That being said, I am not accusing any organization of failing to notify customers of RFID skimming.

What is RFID Skimming?

RFID Skimming is a form of digital theft, which enables information from RFID based smart cards, also known as “tap” cards, to be read and duplicated. It works by reading the RFID chip at a distance using an RFID scanner, which downloads the card information. It can then be written to a new blank card, which then operates in the same manner as the original legitimate card. Because the data is identical on both cards, and the information is only copied, it makes no difference if the original data is encrypted or not.

How can you protect yourself?

  • RFID blocking sleeves, pouches, or wallets which are lined to protect RFID-enabled cards. Unfortunately, like any other wallet, these will most likely wear out in time.
  • Aluminum foil is a simple, low-tech approach that creates a sleeve with a limited useful lifetime. On the other hand there may be limits as to how well this works. It may simply make transmission more difficult (but not impossible).
  • An Altoids tin or duct tape wallet (seriously).
  • Disable the RFID functionality on the card. This can be accomplished in a few ways. You could microwave or drill a hole through the chip, but your card issuer might frown upon that. You could also call your bank or card issuer to see if they can disable the functionality from their end.

These measures will increase the security of your RFID-enabled cards, but they are far from being foolproof. The best way to stay protected against rogue RFID scanners is to minimize your reliance on RFID-enabled tools; quitting cold turkey really is the only guaranteed protection. But if you can’t find a way around it, then you can safeguard your cards with the methods listed above.

For the record, I am now the proud owner of an RFID blocking wallet.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.