Seven Things Hackers Don’t Want You to Know About PCI - Connecting IT Companies

Patrick D. Warren, CIA, and Jeffrey A. Palgon, CPA, CISSP, CISM, CISA

Any compliance-savvy organization, handling cardholder information, will address the requirements of the Payment Card Industry Data Security Standard (PCI DSS), including:

Removing, encrypting, or truncating all its card data;
Segmenting its networks;
Hardening all of its in-scope applications and systems; and
Limiting unnecessary access, issuing the requisite policies and procedures, training its staff, patching all its systems, and upgrading its logging and incident management capabilities.

After assuring the board of directors, the acquiring bank, the card brands, and the regulators of the organization’s compliance, it is common for the responsible person, and his or her staff, to get back to business and forget about the PCI DSS until the next annual visit from the Qualified Security Assessor.

In fact, that is exactly what hackers, card-trading forums, and the underground marketplace – those trading in stolen card data – hope will happen. Criminals who trade in stolen card data work 24/7, year-round, and across the globe. They don’t want organizations’ defenses to be flexible and adaptable, or security controls to be maintained and monitored continuously – and criminals don’t want anyone else to know the following facts about preventing or detecting an attempted network breach.

1. Simple vigilance keeps an organization ahead of ever-evolving hacker techniques.

An active cross-border marketplace exists for the identification of gaps in PCI requirements and stolen card data. Hackers and criminal organizations exploit the ubiquity and anonymity of the Internet, to share information and collaboratively breach defenses. Because hackers can work faster and more efficiently than the standard can be updated, it’s vital that organizations’ defenses evolve as quickly as the hackers’ ability to find vulnerabilities. To stay ahead of the curve, organizations should:

Search for vulnerabilities and apply patches more frequently than the PCI standard requires.
Update the organization’s risk assessment to identify the latest methods being used to breach networks. Don’t rely on assumptions based on outdated applications and encryption.
Implement the most current card-processing applications and replace outdated card-processing terminals. Determine whether the application or terminal is the current version or if it can be upgraded or replaced. Organizations with outdated point-of-sales terminals might be less secure than they think. Lists of approved hardware and applications are available at www.visa.com and www.pcisecuritystandards.org.
Identify weaker or proprietary encryption algorithms and be critical of vendor-provided solutions using encryption that is not publicly vetted. The PCI standard requires strong encryption but is not specific. It’s up to each organization to ask its card application vendor if it uses recognized encryption algorithms that have withstood methodical and organized hacker attempts.

2. Proactive procedures increase fraud detection.

An organization might not realize that its card data or system has been compromised. Hackers could be waiting for the best time to turn their stolen data into money. Criminal organizations treat card data like perishable inventory, and each stolen card must be used by the card expiration date. Similarly, not all compromised networks are exploited immediately. To avoid being detected by monitoring tools, hackers who have penetrated a network and installed tools to access a system might delay taking action. The delay increases the difficulty of attributing a data compromise to any single event.

Merchants, financial institutions, and their servicers can mitigate this risk with actions that go beyond the PCI requirements:

Perform daily, as opposed to annual, assessments of the vulnerabilities of internal databases and devices, looking for any anomaly that does not relate to an authorized system change or other known event. Some security tools have evolved to the point at which daily scans, with a focus on the areas of the network with higher risk, are viable.
Change card data encryption keys more frequently than the annual requirement.
Reissue cards even before their expiration dates. It could be cheaper to issue a new card than to replace it after an incidence of fraud.
Consider new payment applications that rely on alternative payment credentials such as one-time account numbers.

3. Hardware encryption offers an additional layer of protection.

Given enough time, software-based encryption can be surmounted. Although the PCI standard doesn’t require hardware-based encryption, organizations should, whenever practical, use hardware security modules (HSM) to encrypt cardholder data. HSMs offer protection against the compromise of software operating commands. Access to these commands might allow an attacker to display a clear-text key, which could be used to decrypt and read cardholder information.

4. Transmission encryption is simple, low-cost, and effective.
Although the PCI DSS does not yet require internal system encryption when transporting cardholder data on a private network, data encryption solutions abound and should be used to transport data among hosts, servers, and systems behind the firewall. This type of transmission encryption may be the simplest and most cost-effective step an organization can take to protect against unauthorized viewing of card data by malicious employees, contractors, and vendors working inside the organization.

5. Enterprisewide participation is more effective than individual heroic efforts.
If an organization’s compliance efforts are mainly the result of “heroic” efforts by a single dedicated individual, it’s time to get data processing, business units, and other parts of the organization that could affect the security of cardholder data involved in an enterprise risk management program. Organizations in which one person drives the security and compliance efforts are more vulnerable to fraud. Redoubling PCI education efforts to obtain enterprisewide participation is critical to withstanding unanticipated or multiple threats.

6. Augmented penetration testing helps defend against social engineering and trickery.
Not all information breaches result from hackers or technology glitches; some result from human error. Even trained and well-intentioned employees can inadvertently divulge secrets via email, phishing, or voice mail or fall victim to a well-dressed, glib visitor who needs “only a minute” of their time. Organizations should go beyond the required PCI penetration testing, which includes internal tests that identify technical vulnerabilities to devices in the card processing network. Making staff members aware of social engineering methods and training them to react appropriately to attempted trickery could improve the organization’s risk profile.

7. Compensating controls are a two-edged sword.
Knowledge of an organization’s compensating controls can inadvertently provide hackers with opportunities to breach a network’s defenses. Compensating controls, which go above and beyond PCI DSS requirements, are intended to provide flexibility in applying controls in the cardholder data environment and compensate for an inability to implement a particular PCI DSS requirement because of a business or technical constraint. Information about commonly used compensating controls is publicly available in trade journals and discussed openly at industry conferences. If hackers understand enough about an organization’s compensating controls, they have the equivalent of insider information and can plan their attacks accordingly. Organizations need to confirm that their compensating controls meet the exact intent and rigor of the relevant PCI requirement. Compensating controls should be analyzed annually, as they are not meant to be permanent but rather a means for providing time to work through the constraints that prevent the quick implementation of a particular requirement as it is spelled out in the PCI DSS.

As the periodically updated PCI DDS continues to evolve, it remains an effective weapon in the never-ending battle against sophisticated fraudsters seeking to steal and monetize cardholder data. Filing a report on compliance is the beginning and not the end of an organization’s incessant arms race against well-informed and organized hackers. Winning requires vigilance, keeping defenses current, and – where necessary – going beyond basic PCI requirements.

Rick Warren is a principal with Crowe Horwath LLP in the Atlanta office. He can be reached at 404.442.1606 or rick.warren@crowehorwath.com.
Jeff Palgon is with Crowe Horwath LLP in the Atlanta office. He can be reached at 404.442.1623 or jeff.palgon@crowehorwath.com.

TAG’s article library is optimized by search engine optimization company Vayu Media, provider of SEO Services to technology companies nationwide. Vayu Media develops online strategies to grow businesses through increased sales, leads and internet brand awareness.

New Members

Member Status

Facebook Fans

Press Releases

Whitepaper Categories

Top Societies

TAG Photos

Twitter Updates