Payment Security News || Q1 2010 Welcome to 2010! Prioritised Approach Like us, you’ve probably had enough of people saying ‘Happy New Year’ – but Happy New Year to you anyway. You’re also probably fed up with checking weather forecasts and seeing snow and cold moving in! Well, spring is very nearly upon us and the warmer weather fronts will be moving in soon. Visa and MasterCard now require this information! To ensure that your compliance progress is being reported accurately, therefore reducing the risk of fines for non-compliance, please access the simple RBS WorldPay Merchant Reporting Tool and full completion instructions by going to: http://www.rbsworldpay.com/pcidss/index.php?page=intro&l=x Many of our merchants have already started to use this risk based tool to help manage their compliance programme. IMPORTANT: if you are still working towards compliance - please read For the keen eyed amongst you, you will have noticed a slight change to the title. Whilst PCI DSS continues to be an incredibly important requirement for any business involved in card payments, we thought Payment Security better defines the messages we are trying to get across. Whether we’re talking about PCI, PTS or PA-DSS the common theme is the urgency for all business to take Payment Security seriously. The coming editions will start to focus more and more on these other standards and their requirements. In the meantime this edition includes; Prioritised Approach An overview of compromises from the front line UK Security Breach Investigation Report Industry expert articles from: ‘PCI SSC’ and ‘DCPCU’ The next formal update submission to Visa and MasterCard is due end of March 2010. If we do not receive updates from you by this time, we will submit a NIL response which could significantly increase the likelihood of receiving fines for noncompliance. Whilst becoming more commonplace across the industry, RBS WorldPay does NOT charge a fee for non-compliance, or apply any additional charges for ongoing support or for updating Card Schemes with your progress. We are here to support you – but to do this we need you to provide information about your progress towards PCI compliance. If you have questions with regards to completing the Prioritised Approach, please make contact with one of the team today! Telephone: Email: +44 (0)207 672 6400 pcidss@rbs.co.uk 7Safe - UK Security Breach Investigations Report Call Recordings - Change to PCI SCC Rules The PCI Data Security Standards guidelines have in the past been unclear with regards to call recordings, but now the Security Standards Council has released further clarification. Information Security firm 7Safe has released its 2010 UK Security Breach Investigations Report which focuses on PCI-related security breaches, investigated by 7Safe's Breach team. The results demonstrate just how many compromises take place against Merchants and Service Providers and how prevalent cybercrime is. The methods of attack also range from very simple through to cleverly crafted, targeted attacks of serious significance. The report also maps the breach data to the PCI DSS requirements and highlights where themes of weakness arise. Breaches occur despite the extensive use of ASV scanning tools where reliance on the results often leads to the questionable confidence that applications and sites are secure. Are such tools flawed or is there a fundamental misunderstanding of how they work, how the results are interpreted and the key differences between ASV scans and penetration testing? This concise report has been investigated and written by the CEO and Co-Founder of 7Safe in conjunction with a Professor at University of Bedfordshire. The reports findings are also supported by the Serious Organised Crime Agency (SOCA) and the Police Central eCrime Unit (PCeU). www.7safe.com/breach_report Latest statement from the PCI SCC This response is intended to provide clarification for call centres that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands). It is a violation of PCI DSS requirement 3.2 to store any Sensitive Authentication Data, including card validation codes and values, after authorisation even if encrypted. This therefore prohibits the use of digital audio recording (using formats such as wav, mp3 etc) for storing CAV2, CVC2, CVV2 or CID codes after authorisation as card data can easily be extracted using freely available software. On an exception basis, storage of CAV2, CVC2, CVV2 or CID codes in an analogue format after authorisation is allowed; as these recordings cannot be data mined easily. However the physical and logical protections defined in PCI DSS must still be applied to these analogue call recording formats. Audio recording solutions that prevent the storage or facilitate the deletion of CAV2, CVC2, CVV2 or CID codes and other card data are commercially available from a number of vendors. All other recordings containing cardholder data captured by call centres must be protected in accordance with the PCI DSS, including PCI DSS requirement 3.4. Payment Security News Real Life Story: Managing merchant data breaches Any RBS WorldPay merchant that becomes involved in a suspected, or confirmed, system data breach will be managed by our dedicated and experienced Account Data Compromise Team. In the event of an Account Data Compromise (ADC) the team works closely with the Card Schemes and impacted merchant to ensure a speedy resolution. It can often be a long process so it is important that an effective relationship is created from the start and that the merchant provides as much detail to us as possible in a timely fashion. A compromise occurs when genuine cardholder data is stolen from a merchant and this information is then used fraudulently elsewhere. The Card Schemes (MasterCard and Visa Europe) issue fines when merchants lose cardholder data, so the ADC Team’s job is to stop the data losses, remediate the merchant to PCI compliant status and administer merchant fines. A merchant with a confirmed ADC will have to report to the Card Schemes as a PCI Level 1 merchant regardless of what their level was previously. Typically these attacks will occur in the eCommerce space where merchants have their servers hacked where they store payment information and until we get involved they usually aren’t aware it is happening. || Q1 2010 The majority of threats can be blamed on outside attackers with confirmed breaches accounting for around 20% of the total, according to some recently published data. More significant are the breaches caused by individuals working within an organisation. These can be attributed to poor procedures, human error and malicious activities by people on the inside of an organisation and account for more than 35% of the breaches. The remainder come from physical failure of devices and improper disposal of records. The requirements detailed within the PCI DSS clearly go a long way to reducing threats to your business. However, it is essential that businesses appreciate potential internal threats and ensure that an adequate security strategy is in place. To ensure your business can respond quickly and effectively to any incident that may occur, you are strongly advised to have a detailed ADC plan in place. This should also be regularly tested and kept up to date. What to do if you suspect an ADC The key is having a plan in place to respond to the possibility of a data breach to your systems or those of the third parties storing, processing or transmitting cardholder data on your behalf. Please take a look on the following link for more information and do not hesitate to contact us should you need more information. If you suspect a compromise, you need to take the following steps: Typical Example Merchant ‘XYZ’ is a high street retailer and has suffered several prolonged attacks on their payment servers from customised code siphoning of cardholder data. The merchant responded well to our initial contact and promptly undertook investigations on the systems using a Qualified Forensic Investigator (QFI). The QFI’s report highlighted at least 3 successful attacks, taking advantage of the merchant’s outdated computer infrastructure. Many thousands of active card numbers were stolen, and the merchant stood to receive large fines and recovery of card monitoring and re-issuance costs from the Card Schemes. Fines can run in to the hundreds of thousands of Euros but on this occasion with full and prompt co-operation from the merchant, we were able to reduce these to something the merchant could absorb more easily. It doesn’t always work out like that! The number of compromises managed in 2009 exceeded 130, and the majority paid the minimum Scheme fine. The minimum fine last year for small merchants was €2,500, this year it is €10,000 so we are expecting a real challenge in 2010. The Origins of Breaches Certainly quicker than animals have been able to evolve, the criminals behind large numbers of very public attacks are moving swiftly through different sections of the market. Whilst larger organisations may attract attention for their size and wealth, it is the smaller businesses that offer easy pickings. Costs incurred by businesses relating to security breaches, including legal fees, call-centre costs, regulatory fines, breach notification, public relations, lawsuits, etc have now reached hundreds of millions of dollars over the past few years. Contact your Acquirer immediately (RBS WorldPay) Leave compromised systems alone - don't access them or alter them in any way. Don't log-on or change your passwords. Don't turn off compromised systems - instead, unplug any network cables to disconnect them from your network. Back-up immediately - carry out a back-up of your systems to preserve current state. This helps any future investigations. Contact details for RBS WorldPay customers Telephone: +44 (0) 207 672 6262 or +44 (0) 207 672 5404 Email: pci.merchant.programme@rbs.co.uk Web: http://www.rbsworldpay.com Payment Security News Industry expert: PCI Security Standards Council (PCI SSC) In the last several years, awareness of issues around credit card security and PCI standards has grown exponentially. This is a good thing. As more businesses implement PCI DSS as a necessary layer in protecting their customers’ card data, this increased vigilance will result in fewer breaches, not to mention headaches and losses for businesses, financial institutions and cardholders. In 2010 we will hear more discussion on the topic, especially as we approach the introduction of the newest version of the PCI Data Security Standard in October. Our goal at the Council is to gather as much real world implementation information from folks like you, keep you informed on how the revisions to the Standard may affect you and share with you information on how processes may change and how new technologies will interact within the new standard. With that in mind, I’d like to share with you a calendar of what the Council has planned for 2010 and what changes you can expect along the way. Programme for Revisions to the Standard November 2009 - April 2010 DSS and PA-DSS Feedback Review Process We make revisions to this standard based on the input of hundreds of companies that make up our Participating Organization base. The Feedback section of the DSS Lifecycle Process ended in October of last year, and we are now in the Feedback Review Process. At this point – we are consolidating, categorising and reviewing thousands of pieces of feedback – all analysed by our PCI DSS Technical Working Group. March Council will share summary of feedback with market April Council presents framework on emerging technologies, and the first piece of guidance in this area The Council will outline how we plan to approach emerging technologies. We are targeting April to deliver first guidance on Chip with more content to follow. We also have Special Interest Groups working on Virtualisation, Pre-Authorisation and Scoping that will be able to provide guidance this year. Late April New PIN Transaction Security (PTS) standard released (formerly PIN Entry Device (PED) Standard) Following a final comment and review period currently underway, the Council will release the next version of PTS Standard. This will cover all PIN hardware including unattended payment terminals and non-user facing devices hardware security modules (HSM). || Q1 2010 May - June Summary of proposed changes to the DSS provided to Participating Organizations and market The lifecycle gives us enough time to address evolving security threats and gradually phase in elements and requirements to enhance security - without throwing a company out of compliance the moment the new version comes out. With this summary, we’ll be providing guidance on what we anticipate will change in the next year May - September New version revision and final review September 21-23 US Community Meeting, Orlando, Florida October 18-20 European Community Meeting, Barcelona, Spain These Community Meetings provide an opportunity for us all to meet and discuss upcoming changes and how they will affect you in person. All Participating Organisations are welcome to join us. October 2010 Next iteration of standards released to public Again, we will provide plenty of time to implement any required changes - most requirements may include phased implementation dates to give you time to sunset old practices and introduce new ones. There will be a lot of ground to cover in 2010, but we hope that with your support we can accomplish these objectives and usher in the new standard and an era of increasing adoption and security. Remember, our goal is to keep you informed throughout this entire process. If at any time, you feel like you need additional information from the PCI Security Standards Council, please visit our site, http://pcisecuritystandards.org/ where you can get the most up to date information, access our searchable archive of guidance and support materials and post a question directly to our Technical Working Group. Bob Russo, PCI Security Standards Council, General Manager Payment Security News Industry expert: Dedicated Cheque and Plastic Card Unit The Dedicated Cheque and Plastic Crime Unit (DCPCU) is a special police unit, fully sponsored by the banking industry, with an ongoing brief to help stamp out organised card and cheque fraud across the UK. The DCPCU is a unique body that comprises officers from the Metropolitan and City of London police forces, who work alongside banking industry fraud investigators. It is comprised of three operational teams, which are supported by an intelligence arm – the Payments Industry and Police Joint Intelligence Unit (PIPJIU). The PIPJIU was launched in March 2008 and enables the efficient collation and dissemination of fraud intelligence to police forces throughout the country. Since it was launched in April 2002, the DCPCU has been responsible for savings of more than £315 million in estimated fraud. Key to the Unit’s work is the investigation and successful prosecution of criminals engaged in organised cheque and card fraud in the UK. Individuals within all levels of a criminal network are targeted but wherever possible priority is given to arresting those directing or organising the crimes. Typical investigations target criminal networks involved in: card skimming; fraud on transactions over the telephone or internet; unauthorised obtaining of account and transaction data; and card and PIN compromise at cash machines or in shops. || Q1 2010 Organised criminal gangs are always looking to target the weakest link in the chain. Often this is the cardholder but, when it comes to compromising card data, criminals may target retailers in the hope of stealing large volumes of card information in one go. Therefore it is imperative that retailers take the necessary steps to safeguard all the physical and electronic card data in their possession – by doing so they will make it much harder for criminals to commit card fraud, either face-to-face or in the online environment. The banking industry has also made available secure payment systems for safer online transactions, known as Verified by Visa and MasterCard SecureCode. Over 53 million credit and debit cards have now been registered with MasterCard SecureCode and Verified by Visa – and there has also been a significant increase in the number of retailers using these systems – those that have currently handle more than half of the value of all the UK’s online shopping. Retailers that introduce these systems see a change in liability for particular situations between themselves and their bank, leading to less time spent on dispute resolution and less money lost through chargebacks. Preventing card fraud needs to be tackled in a joined-up and co-ordinated manner – by working together the banking industry, retail sector, cardholders and the police can all play their part and help tackle fraud head-on. For more information visit: www.cardwatch.org.uk or http://www.dcpcu.org.uk/ Other work undertaken by the Unit includes: Providing advice, guidance and support to fraud investigators within the banking and payment card industry. Identifying new methods used by organised criminal gangs and passing details on to the banking industry to enhance preventative initiatives. Using the Proceeds of Crime Act to deprive criminals of any benefits they have gained from fraud and, where appropriate, to recover funds and seek compensation for fraud victims. Developing and maintaining relationships with financial bodies to facilitate enquiries and evidence gathering. Although card fraud losses in the first half of 2009 decreased, this does not mean that we can afford to be complacent in our approach to tackle the organised criminal gangs responsible. Fraudulent transactions made over the internet, phone or by mail order remain the largest type of card fraud, accounting for 58% of total card fraud losses in the first half of 2009 (according to figures released by The UK Cards Association). Maintaining PCI Compliance A common myth is that once you complete the SAQ and associated vulnerability scans (if applicable), all of your obligations are fulfilled. The truth is that maintaining compliance is an ongoing process and you must remain vigilant to ensure you are protecting cardholder data and minimise the risk of a breach. It is also important to keep up to date with lodging an SAQ as many merchants complete this initially and forget to renew in 12 months time, leaving themselves exposed to serious fines should a data breach occur, and the possibility of general non compliance fines also. It is also very likely that security standards set whilst attesting to compliance have also relaxed, leaving your business at greater risk. You should always keep a copy of your completed SAQ and also date your Information Security policy and ensure both are renewed every 12 months. This ensures ongoing protection for you and your customers. If you are unclear if your PCI compliance is due for renewal or not, please email us at pcidss@rbs.co.uk or contact the team on +44 (0) 207 672 6400. Payment Security News || Q1 2010 Useful information PCI SSC Lifecycle Process - Phase 3 The PCI SSC has published a lifecycle process associated with the current PCI DSS v1.2. According to the process, the PCI DSS V1.2 is in Phase 3 of its lifecycle and during this phase the council compiles feedback and makes decisions about the future version or revision of the standard. A new draft will be presented to the Board of Advisors and Participating Organisations and finalised during Phase 4 of the lifecycle (May 1st - August 31st 2010), with a new version or revision due to be published in September 2010. RBS WorldPay sits on the Board of Advisors and so will provide further information as we have it. For full lifecycle details please visit the PCI SSC website: ALL level 3 (eCommerce) merchants will be taken to Visa Europe’s March Compliance Council. If you have not given your assigned PCI manager an update……do it now!!! Effective 30 June 2011 * This is a change from what has been previously mentioned * Level 1 & 2 merchants must use either a QSA or appropriate primary auditor staff who have attended PCI SSC-offered merchant training programs and passed any PCI SSC associated accreditation program annually. Up until this date Level 2 merchants are free to confirm compliance through completion of the SAQ alone, and Level 1 merchants must use a QSA or other auditor(s) with appropriate experience and knowledge. https://www.pcisecuritystandards.org/index.shtml Effective 31 December 2012 Visa Europe - Best Practices for Data Field Encryption Data field encryption, commonly referred to as “end-to-end” encryption, defines a process to protect cardholder data both in storage and in transit within an enterprise, limiting the cleartext availability of cardholder data. To support marketplace adoption of data field encryption, Visa Europe has developed best practices to assist merchants and other stakeholders in evaluating emerging data field encryption solutions. These best practices should be viewed as high level guidance to be considered for any such solution and represent the first step in an on-going communications programme from Card Schemes and the Payment Security industry at large. To view Visa’s best Practices for Data Field Encryption, please follow the link given: Acquirers must ensure merchants using payment applications that do not store sensitive authentication must either be fully PCI DSS compliant, or using a PA DSS compliant application. Thanks for reading! Many thanks for taking the time to read through another newsletter. We hope you found the contents useful. If you have sent in positive feedback - thanks it is very much appreciated. If you have feedback you want to give, whether it’s positive or negative, please do not hesitate to send it in. We’d love to hear from you. We’d also like your thoughts on ideas for future editions - this could be in the form of a merchant case study!! http://www.visaeurope.com/documents/ais/best_practices_for_da ta_field_encryption.pdf Until further notice, and unless there are key messages to get out, we will be producing this newsletter on a quarterly basis. So the next edition will be early in Q2 2010. Hopefully by this time spring will have definitely sprung! Key dates for your diary! Thanks and regards, A reminder of the key dates from Card Schemes that could impact your business. It is important that you take note and prepare where necessary. Phil Atherton Q1 2010 Formal Update Report to Visa and MasterCard As you will of course know - RBS WorldPay, as an Acquirer, is responsible for reporting the progress towards PCI compliance of all its in scope merchants. If you have a PCI Manager already assigned, you may have already received a chase for information. If not, please call the team on +44 (0) 207 672 6400 and someone will point you in the right direction. Why is it so important? It may feel like we are hounding you sometimes but if we do not get an update from you we are not able to help protect you against fines for non-compliance. Head of Compliance & Scheme Management RBS WorldPay Global Transaction Services +44 (0)207 672 6400 pcidss@rbs.co.uk Level 8 | 2½ Devonshire Square | London EC2M 4BA | UK RBS WorldPay: www.rbsworldpay.com/pcidss PCI SSC: www.pcisecuritystandards.org