PCI – Breaches and Audits

Breaches can occur all the time and payment networks are usually the prime targets of hacker communities. A hacker is usually looking for vulnerable systems and attempts to break into these systems when vulnerable systems are found to steal financial information that could be sold online for easy money.

In the past few issues of CIO Pakistan, I have discussed what PCI DSS (Payment Card Industry — Data Security Standard) is and how the audit process helps to make the transaction process more secure. In this issue, I’d like to draw out a better, clearer profile of the hacker and what he is looking for. As a security professional, you must have the ability to put yourself in the shoes of your worst nightmare and think as he does. Only then will you be able to take proactive measures to be more ready to handle what comes your way. Always remember: being effective at security best practices requires you to have a keen sense of human behavior.

What Hackers Look For and Where

There are two kinds of merchants: online and physical merchants, which are also referred as ‘Brick and Mortar’ merchants with a POS (Point of Sale) device to accept card payments. Customers engage with both and there are usually bits of customer data available with both.

Hackers are always looking for card holder data preferably combined with personal information. Stealing just the card is no longer adequate enough. The “stealing” is done in two possible ways:

1-Stealing from online merchants is mainly done through the internet and is usually due to security holes in the system components, such as firewalls, servers and applications

2-There are several ways through which the hackers steal data from the physical merchant. One way of stealing can be hacking a vulnerable wireless network that transmits the cardholder data

Different Kinds of Breaches

Different parts of the world, reveal different kinds of breaches. In Europe for example, more breaches occur for online merchants and less for physical merchants. In the United States, however, more breaches occur through physical merchants and comparatively fewer breaches occur online.

Interestingly enough, the highest percentage of breaches occurs at Level 4 merchants, who are smaller businesses and have fewer transactions. This is usually because smaller businesses usually don’t have dedicated ICT departments or security consultants.

Transactions are based on a relationship of mutual trust. Without involving the banks, the buyer and seller base their decision to make a sale or extend credit based on past track record and experience. By risking lower security measures, the relationship runs the threat of compromising reputation. Reputation is what leads to consumer confidence and enables the exchange or extension of financial liabilities.

The Sensitive Data

There are essentially two kinds of credit data. Each requires different types of protection:

First, there is the ‘Cardholder Data’. This is comprised of the credit card number, name, and expiry date. Next there is the ‘Sensitive Authentication Data’ (SAD). This contains the magnetic strip data along with 3 or 4 digital codes such as the CVC and PIN block.

For the transaction process, the merchant is never allowed to store the SAD beyond the authorization however the merchant may store the cardholder data if properly encrypted and/or hashed. The PCI Auditor is responsible for ensuring which data is stored and which is filtered out of the merchant’s system.

Pre-Auditing Steps for PCI Validation

Before the PCI assessor goes through the validation of the 12 main PCI sections, there are few important things to consider to plan the auditing process.

Scoping

The first step is to clearly define the scope of the assessment for PCI validation. For instance, a customer may have 2,000 workstations in his organization but only a few of them might be actually storing, processing or transmitting the cardholder data. As per PCI DSS, all systems that are connected or networked to the cardholder systems are in the scope and would require assessment, which would make the audit a very lengthy and expensive process. Segmentation of network to isolate the sensitive systems is recommended to reduce the assessment scope.

An auditor would have to verify the isolation to confirm the scope before assessment.

Sampling

A customer might have a large number of similar systems and it would be waste of time and resources to assess every system that would yield the same results. For instance, if a business has several retail shops that are using similarly configured systems, an auditor can select a sample of similar shops for assessment. All unique systems would need to be audited individually.

Compensating Control

In case of business, technical or legal constraints, compensating controls are allowed with documented justification. For example, if some system does not allow long passwords, then here’s a way out: you may compensate control with a more complicated password that has a short expiry along with additional logging in the place of a longer password.

Reporting

During the auditing process, documentation and reporting should be made at every key step of the process. The reporting should include Vendor/Assessor Contact Information, Audit dates/timeline, Business Description, Processor Relationship, Merchant POS (Point of Sale) products used & their versions, Wireless LAN, networks diagram, transaction flow diagrams and summary of audit.

There is really no sure way to protect any transaction, be it online or offline, but it is important to be able to understand the risks associated with each. The amount of money that companies spend in securing products through physical exchange of money is also not without its risks. The perception of someone physically robbing you, seems a lot ‘easier’ to control than online, but that isn’t always true.

You have to understand that interception of any transaction is done after a great deal of observation and patience. So yes, a breach can occur with any transaction point, at any time. Sticking your head in a silo and thinking your business functions in isolation is not the solution to any problem.

Offline penetration testing is just as vital to the integrity and security of a brick and mortar business, as it is for an online business. Offline trends analysis is just as critical as is the online, though online, at times, the analysis is easier because of the amount of data that can be gathered and analyized at any given time.

By writing these series of PCI Audit articles, the purpose is not to scare you into never using your credit card again. That obviously cannot happen. The purpose is for you to be aware of the signs that there might be a vulnerability in the system you are using, and how you can work towards strengthening it out of the system.

About the Author:

Talha Ghafoor is a Senior Security Specialist and a qualified CISSP, CISA, PCI-QSA, and JNCIS-FWV. He has 10+ years of industry experience with strong history of working with Tier 1/Fortune 10 Financial Services Institutions in Europe.

Talha’s expertise lies in firewalls, intrusion prevention, encryption and open source software. You can contact him at: talha@ciopakistan.com