Maintain an Information Security Policy

Requirement 12 of the PCI DSS: Maintain a policy that addresses information security for all personnel

Here we are at the 12th and final requirement of the PCI DSS. What a journey this has been.  Looking back, we discussed creating a secure network starting with a firewall at the perimeter, all the way down to limiting users’ access and having unique usernames and passwords for your staff.  The final step is to create an information security policy that will guide you and your staff through all of the processes and procedures of your business with security in mind.  Think of the information security policy as your rules and expectations of your staff. It is pertinent that everyone in the company, from top to bottom, understands the guidelines spelled out in the information security policy.  Let’s take a look at a few of the requirements in the PCI DSS that your information security policy needs to cover.

The very first point specified in requirement 12.1 is to establish, publish, maintain and disseminate an information security policy that addresses all PCI DSS requirements.  I believe that if this requirement is followed properly you will be setting yourself up to have true, consistent behavior in regards to security and not just a check box approach.

This brings me to the most important part of an information security policy: Training.  Requirement 12.6 reads:

Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

I feel that having a proper training program set up for your employees is one of the biggest factors in successfully implementing a security policy.  If personnel are not educated about their security responsibilities, the security guidelines you have established may become ineffective through errors or unintentional actions.  The weakest point of an organization’s security is the end user.  If the end user is not trained or educated on security best practices, then critical data will be much harder to protect.  (more…)

Trustwave, who recently acquired SecureConnect, is a leader in providing research and reports on data security.  Trustwave’s SpiderLabs Research Team is at the epicenter of this intelligence.  One of their more recent studies involving strength of passwords was featured by a news station in Chicago.  The segment included the Vice President or SpiderLabs, Nicholas Percoco, who explained that people are still not using strong enough passwords.

In the segment, Percoco revealed that from the passwords they sampled in their study, Password1 was the leading password used.  That password combination is weak, easy to guess and insecure.  Beyond that, other common passwords include boys’ names, girls’ names and pets’ names.  While these may not be as easy to guess, they are still just as easy to crack as Password1.  Hackers use a password cracking program that is widely available on the internet.  The program is made up of dictionaries containing commons words and names which hackers run in order to decipher a password.  The program runs until a match is found.

In the news segment, they also touch on how a random password like 6kji*%f may seem more secure, however, it is not.  On average a random seven character password can be cracked within eight and a half minutes using password cracking software.  Percoco advises using passwords that are nine or ten characters in length or more.  Passwords of that length will most likely exceed a hacker’s patience and they will move on to an easier target.

Another point to consider is using Passphrases rather than passwords.  Percoco said passphrases are generally easier to remember and longer, so harder for a hacker to crack.  For more on passwords and how to choose a strong password, read our blog: The Truth About Passwords: Is Yours Strong Enough?  (more…)

Data breaches within the retail industry are on the rise.  The latest victim is the MAPCO convenience store chain which had customer credit and debit card information stolen. It is reported that cybercriminals used malware to gain access to the payment processing system and collect cardholder data.

MAPCO announced the breach last week and said it occurred between March 19-25, April 14-15, and April 20-21, 2013. The data breach affected MAPCO Express®, MAPCO Mart®, East Coast®, Discount Food Mart™, Fast Food and Fuel™, Delta Express® and Favorite Markets® stores in Alabama, Arkansas, Georgia, Kentucky, Mississippi, Tennessee and Virginia.  MAPCO’s breach is just yet another example of the growing risk within the retail industry

According to the 2013 Trustwave Global Security Report, the retail industry made its way back to the top of the breached list with 45% of all data breach investigations in 2012 being from that segment.  Compare that to just the year before where only 33.7% of all investigations were retail businesses.  The 15% spike in breaches only confirms the fact that retail merchants are failing to take the proper steps to protect data and secure their networks.

The food beverage industry spent 2009 to 2011 at the top of that list.  However, this year they made up a smaller, yet still substantial, 24% of investigations.  One can only assume that after the focus being on that industry for three years, food and beverage merchants have begun to take a proactive approach and combat cybercriminals with the proper network security.  It’s an approach that has appeared to have paid off.

SecureConnect has focused a lot of our interest on this segment and have seen first-hand over the last few years how merchants have become more familiar with PCI compliance and understand the risks of not addressing network security.  (more…)

The PCI SSC is determined to make certain all merchants are educated on the importance of credit card security and their series of short, entertaining videos may just be the trick. In previous blogs we highlighted their videos which introduced PCI compliance and discussed password protection. The third PCI SSC video in the series is on three security best practices in regards to card readers.

The three best practices involve:

• The location of a card reader
• Examining the card reader and connecting cords
• Access to the card reader

Check out this third video in the PCI SSC’s Protecting Cardholder Data Is Good For Your Business video series:

(more…)

Regularly Monitor and Test Networks

Requirement 11 of the PCI DSS: Regularly test security systems and processes

Requirement 11 is one of the more technical requirements of the PCI DSS that focuses on testing the Cardholder Data Environment (CDE) for vulnerabilities.  Some of the steps in this requirement will not be able to be completed by the merchant without some outside assistance.

To help you to better understand this requirement, I am going to first explain Requirement 11.2.2, which reads:

An Approved Scanning Vendor (ASV) is an organization approved by the PCI SSC which performs vulnerability scans on merchants’ CDEs.  External vulnerability scanning is a specific test that looks for weaknesses in a network’s perimeter that can be exposed or exploited by malicious individuals looking to gain unauthorized access into the network.  The PCI SSC has a specific list of rules and guidelines that an ASV must comply with in order to be certified by the PCI SSC to perform external vulnerability scanning for merchants in the pursuit of PCI compliance.  Currently the PCI SSC has a list of over 130 certified Approved Scanning Vendors that can be found at the PCI SSC’s website.  Having these external vulnerability scans run each quarter is only the beginning of what a merchant will need to do to meet requirement 11.

Now that you understand what external vulnerability scanning is, let’s go back to Requirement 11.2.1 which talks about internal vulnerability scanning.  (more…)