PCI and the Art of the Compensating Control – CSO Online – Security and Risk
This guide to compensating controls is excerpted from chapter 12 of PCI Compliance by Dr. Anton Chuvakin and Branden Williams (Syngress, 2009). For a full sample chapter, see http://www.pcicompliancebook.info/
Information in this chapter:
* What is a Compensating Control?
* Where are Compensating Controls in PCI DSS?
* What a Compensating Control Is Not
* Funny Controls You Didn’t Design
* How to Create a Good Compensating Control
Few payment security professionals can find a hotter PCI DSS topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort.
Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid.
Also on CSOonline: PCI DSS No Angel, But Certainly Not the Devil
The goal of this chapter is to paint a compensating control mural. After reading this chapter, you should know how to create a compensating control, what situations may or may not be appropriate for compensating controls, and what land mines you must avoid as you lean on these controls to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS).
via PCI and the Art of the Compensating Control – CSO Online – Security and Risk.
RSA 2010 EXCLUSIVE PCI Security Standards Council Interview
RSA 2010 EXCLUSIVE PCI Security Standards Council Interview
At RSA 2010, I was given a unique opportunity to interview Bob Russo GM at PCI SSC and Troy Leach CTO at PCI SSC. I have prepared a deck of very tough questions and then had an hour-long discussion with Bob and Troy around those questions. What follows is the interview reconstruction from my notes with minimum edits and clarifications by the Council folks.
Subscriptions Deal with Transactions Times Twelve
I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket! While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year.
CyberCrime & Doing Time: What the Bad Guys Know: We’ll Click on ANYTHING!
For years the bad guys have been working to perfect the perfect social engineering schemes. By “social engineering” we are talking about the fact that in most situations the biggest security risk present at a computer has nothing to do with technology and everything to do with the human at the keyboard. The bad guys have made a science out of sending various malicious links and malware attachments to people and determining what message is required to make the human at the keyboard do what they want them to do.
What message is required to make you open an attachment to your email? A few that bad guys have discovered work reliably are to tell you that its information about an undelivered package (such as the UPS, DHL, USPS, FedEx scams we’ve seen), or a message that says your email is going to be deleted unless you confirm you still want it. For years an obvious one has been to pray on male insecurity about their sexual prowess, promising that clicking their link will lead to a larger penis which will make the women you know beg you for sex every night!
But recently the bad guys have figured out that it really doesn’t matter what they type in the email, if they only need a few people to buy their product or follow their link. The current round of Zeus spam doesn’t have a meaningful subject, and doesn’t contain any text at all! Only a link.
And people are clicking on it like mad to infect themselves! What mystery! I think I’ll click and see what it is!
The top email subjects right now are:
via CyberCrime & Doing Time: What the Bad Guys Know: We’ll Click on ANYTHING!.
Researchers find huge weakness in European payment cards
Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.
The findings, which will be presented at the IEEE Symposium on Security and Privacy in California in May, cast new doubts on chip-and-PIN or EMV cards. The cards contain a microchip that verifies a correct PIN in order to complete a transaction.
European banks hail the system as more secure, as U.S. cards do not have the microchip, which has so far prevented some types of card cloning.
But the Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered.
The card thinks that the transaction was authorized by a signature. In some instances, point-of-sale terminals may have trouble connecting back to a card’s issuing bank but allow a transaction anyway if completed by a signature.
The attack requires high-level knowledge of the chip-and-PIN system and some external hardware as the researchers demonstrated on the BBC’s Newsnight program on Thursday.
Nonetheless, “this flaw is really a popper,” said Ross Anderson, professor of security engineering, on Newsnight.
via Researchers find huge weakness in European payment cards | Privacy Digest.
Protect Your Cash or Lose Your Business
It seems like every week there’s another story about a small business owner who’s been ripped off by someone they trusted with their hard earned cash. Just last week, my plumber said he was probably going to file for bankruptcy because his trusted office manager took off with $60k of the company’s funds.Red alert folks!You must have controls in place in your business to protect what you have worked so hard to achieve. Yes, it can happen to you and your business will suffer for it. Here’s proof.The Association of Certified Fraud Examiners ACFE survey conducted earlier this year reported that more than half 55.4 percent of respondents said the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior. Additionally, about half 49.1 percent of respondents cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity 27.1 percent and increased rationalization 23.7 percent. There’s no time like the present to make sure you are protected.Here are six things you can do to safeguard your cash flow.
via Protect Your Cash or Lose Your Business | Small Business Trends.
FBI Says ‘Money Mule’ Scams Now Top $100 Million
The hackers looting bank accounts of small and mid-sized businesses around the county are hitting new victims every week, and have now racked up approximately $100 million in attempted losses, the FBI said Tuesday.
“The infection vector has not been determined in every case,” the bureau’s Internet Crime Complaint Center wrote in an intelligence note on the growing scam. “However, FBI analysis has identified more than two dozen different pieces of malware on the compromised account holders’ computers all containing key loggers.”
Using these Trojan horses, cybercrooks have been intercepting victims’ web-banking credentials and then initiating money transfers to mules around the country. The mules are consumers who’ve been lured into fake work-at-home scams, in which their employment involves receiving money and then forwarding the funds to Eastern Europe.
The money has been siphoned through wire transfers, and through Automated Clearing House, or ACH, networks, the bureau said. ACH networks are normally used for direct deposits and online bill payment.
“In one case, the subjects used a Distributed Denial of Service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out,” the FBI reports. “These ACH transfers ranged from thousands to millions of dollars.”
Just last week the FBI had put the losses at $40 million, according to a story by WashingtonPost.com reporter Brian Krebs, who’s been closely following the attacks. On Thursday the FDIC warned U.S. banks to watch for suspicious activity that could indicate a customer has been recruited as a mule.
via FBI Says ‘Money Mule’ Scams Now Top $100 Million | Threat Level | Wired.com.
Shoplifters? Studies Say Keep an Eye on Workers
At the Saks flagship store in Manhattan, a 23-year-old sales clerk was caught recently ringing up $130,000 in false merchandise returns and siphoning the money onto a gift card.“Gift card fraud is spiking,” said Joshua Bamfield, author of the Global Retail Theft Barometer, an annual international survey of retailers. “To employees, this is like currency. It’s almost as good as the U.S. dollar.”After all, walking out with a little card in the wallet is a whole lot easier than lugging a big-screen TV out the rear of a store.
via Shoplifters? Studies Say Keep an Eye on Workers – NYTimes.com.
Emerald Business Systems Blog 