Emerald Business Systems Blog

PCI and the Art of the Compensating Control – CSO Online – Security and Risk

Posted in PCI,POS,Security by ebs4pos on March 16, 2010

This guide to compensating controls is excerpted from chapter 12 of PCI Compliance by Dr. Anton Chuvakin and Branden Williams (Syngress, 2009). For a full sample chapter, see http://www.pcicompliancebook.info/

Information in this chapter:

* What is a Compensating Control?

* Where are Compensating Controls in PCI DSS?

* What a Compensating Control Is Not

* Funny Controls You Didn’t Design

* How to Create a Good Compensating Control

Few payment security professionals can find a hotter PCI DSS topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort.

Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid.

Also on CSOonline: PCI DSS No Angel, But Certainly Not the Devil

The goal of this chapter is to paint a compensating control mural. After reading this chapter, you should know how to create a compensating control, what situations may or may not be appropriate for compensating controls, and what land mines you must avoid as you lean on these controls to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS).

via PCI and the Art of the Compensating Control – CSO Online – Security and Risk.


RSA 2010 EXCLUSIVE PCI Security Standards Council Interview

Posted in PCI,Security by ebs4pos on March 14, 2010

RSA 2010 EXCLUSIVE PCI Security Standards Council Interview

At RSA 2010, I was given a unique opportunity to interview Bob Russo GM at PCI SSC and Troy Leach CTO at PCI SSC. I have prepared a deck of very tough questions and then had an hour-long discussion with Bob and Troy around those questions. What follows is the interview reconstruction from my notes with minimum edits and clarifications by the Council folks.

via Anton Chuvakin Blog – “Security Warrior”: RSA 2010 EXCLUSIVE PCI Security Standards Council Interview.

Thieves skim customer data from debit terminals

Posted in Bars and Taverns,PCI,POS,Restaurant,Retail,Security by ebs4pos on March 13, 2010

Thieves are accessing personal financial information using the old-fashioned smash-and-grab method, but what they’re grabbing are point-of-sale terminals, not merchandise.

CBC-TV’s Marketplace has learned that many retailers are not helping the situation because they leave valuable information on the terminals where customers swipe their debit and credit cards when paying for purchases instead of wiping the data each night as they’re supposed to.

It’s the equivalent of leaving the store vault open and full of cash, except the cash is credit and debit card data, said RCMP Det. John Koppes of Abbotsford, B.C., who is the Mounties’ computer crime specialist.

Watch “Who’s Minding the Store” on Marketplace, Friday at 8:30 p.m. ET, 9 p.m. in Newfoundland and Labrador.

“In the old days, they’d go with a gun, and they would try to get into the bank vault,” said Koppes. “The criminals now know that the open bank vault per se can be the point-of-sale terminals sitting on a counter top or in a store.”

via CBC News – Consumer Life – Thieves skim customer data from debit terminals.

Subscriptions Deal with Transactions Times Twelve

Posted in Online Business,PCI,Retail,Security by ebs4pos on February 27, 2010

I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket! While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year.

via Branden R. Williams, Business Security Specialist » Subscriptions Deal with Transactions Times Twelve.

CyberCrime & Doing Time: What the Bad Guys Know: We’ll Click on ANYTHING!

Posted in Online Business,Security by ebs4pos on February 27, 2010

For years the bad guys have been working to perfect the perfect social engineering schemes. By “social engineering” we are talking about the fact that in most situations the biggest security risk present at a computer has nothing to do with technology and everything to do with the human at the keyboard. The bad guys have made a science out of sending various malicious links and malware attachments to people and determining what message is required to make the human at the keyboard do what they want them to do.

What message is required to make you open an attachment to your email? A few that bad guys have discovered work reliably are to tell you that its information about an undelivered package (such as the UPS, DHL, USPS, FedEx scams we’ve seen), or a message that says your email is going to be deleted unless you confirm you still want it. For years an obvious one has been to pray on male insecurity about their sexual prowess, promising that clicking their link will lead to a larger penis which will make the women you know beg you for sex every night!

But recently the bad guys have figured out that it really doesn’t matter what they type in the email, if they only need a few people to buy their product or follow their link. The current round of Zeus spam doesn’t have a meaningful subject, and doesn’t contain any text at all! Only a link.

And people are clicking on it like mad to infect themselves! What mystery! I think I’ll click and see what it is!

The top email subjects right now are:

via CyberCrime & Doing Time: What the Bad Guys Know: We’ll Click on ANYTHING!.

Visa to Offer Popular “No Signature” Program to Majority of Merchant Categories in the U.S.

Posted in Bars and Taverns,PCI,POS,Restaurant,Retail,Security by ebs4pos on February 14, 2010

Visa Inc. (NYSE:V) today announced plans to offer its No Signature Required program to the majority of merchant categories in the United States beginning July 2010, making the switch to Visa digital currency even more convenient and compelling.

Under the new expanded program, for domestic transactions $25 and less, retailers can accept U.S.-issued Visa cards for purchases without requiring a cardholder signature; this program has the potential to increase speed at the point of sale and enhance customer satisfaction.

“Visa’s No Signature Required program has been enormously popular with Visa cardholders and merchants in busy retail environments like quick service restaurants and coffee shops,” said Bill Sheedy, president, the Americas, Visa Inc. “Innovation comes in many forms and enabling Visa cardholders to swipe their card and go at most U.S. retailers is a small, but significant advance in the ongoing migration to digital currency.”

According to a Visa Inc. survey, 69 percent of participants surveyed cited either convenience or speed as the primary reason for using their credit or debit card. Visa consumer research also found that payment options influence a consumer’s decision to visit a business and acceptance of payment cards has the potential to lead to stronger customer satisfaction and retention for retailers.

With the changes announced today, approximately 98 percent of all U.S. merchant category codes in the Visa system will be covered by the No Signature Required program.

Currently 26 merchant categories are eligible for No Signature Required in the U.S. They include: auto parking lots and garages; bakeries; book stores; bus lines; candy, nut and confectionary stores; car washes; dairy stores; drug stores and pharmacies; dry cleaners; fast food restaurants; laundries; local commuter transport; miscellaneous food stores; motion picture theaters; news dealers and newsstands; quick copy services; restaurants; service stations; taxicabs and limousines; tolls and bridges and video rental stores.

Offering the No Signature Required program will allow hundreds of thousands more U.S. retailers, including traditionally cash-heavy merchants such as discount stores, to enjoy greater benefit from card acceptance on low dollar transactions. These benefits include the potential for faster payment, increased sales and operating efficiencies they don’t get from cash and checks.

via Visa to Offer Popular “No Signature” Program to Majority of Merchant Categories in the U.S..

Researchers find huge weakness in European payment cards

Posted in PCI,POS,Security by ebs4pos on February 14, 2010

Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.

The findings, which will be presented at the IEEE Symposium on Security and Privacy in California in May, cast new doubts on chip-and-PIN or EMV cards. The cards contain a microchip that verifies a correct PIN in order to complete a transaction.

European banks hail the system as more secure, as U.S. cards do not have the microchip, which has so far prevented some types of card cloning.

But the Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered.

The card thinks that the transaction was authorized by a signature. In some instances, point-of-sale terminals may have trouble connecting back to a card’s issuing bank but allow a transaction anyway if completed by a signature.

The attack requires high-level knowledge of the chip-and-PIN system and some external hardware as the researchers demonstrated on the BBC’s Newsnight program on Thursday.

Nonetheless, “this flaw is really a popper,” said Ross Anderson, professor of security engineering, on Newsnight.

via Researchers find huge weakness in European payment cards | Privacy Digest.

Protect Your Cash or Lose Your Business

Posted in General Business,Security by ebs4pos on January 10, 2010

It seems like every week there’s another story about a small business owner who’s been ripped off by someone they trusted with their hard earned cash. Just last week, my plumber said he was probably going to file for bankruptcy because his trusted office manager took off with $60k of the company’s funds.Red alert folks!You must have controls in place in your business to protect what you have worked so hard to achieve. Yes, it can happen to you and your business will suffer for it. Here’s proof.The Association of Certified Fraud Examiners ACFE survey conducted earlier this year reported that more than half 55.4 percent of respondents said the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior. Additionally, about half 49.1 percent of respondents cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity 27.1 percent and increased rationalization 23.7 percent. There’s no time like the present to make sure you are protected.Here are six things you can do to safeguard your cash flow.

via Protect Your Cash or Lose Your Business | Small Business Trends.

FBI Says ‘Money Mule’ Scams Now Top $100 Million

Posted in General Business,PCI,Security by ebs4pos on January 2, 2010

The hackers looting bank accounts of small and mid-sized businesses around the county are hitting new victims every week, and have now racked up approximately $100 million in attempted losses, the FBI said Tuesday.

“The infection vector has not been determined in every case,” the bureau’s Internet Crime Complaint Center wrote in an intelligence note on the growing scam. “However, FBI analysis has identified more than two dozen different pieces of malware on the compromised account holders’ computers all containing key loggers.”

Using these Trojan horses, cybercrooks have been intercepting victims’ web-banking credentials and then initiating money transfers to mules around the country. The mules are consumers who’ve been lured into fake work-at-home scams, in which their employment involves receiving money and then forwarding the funds to Eastern Europe.

The money has been siphoned through wire transfers, and through Automated Clearing House, or ACH, networks, the bureau said. ACH networks are normally used for direct deposits and online bill payment.

“In one case, the subjects used a Distributed Denial of Service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out,” the FBI reports. “These ACH transfers ranged from thousands to millions of dollars.”

Just last week the FBI had put the losses at $40 million, according to a story by WashingtonPost.com reporter Brian Krebs, who’s been closely following the attacks. On Thursday the FDIC warned U.S. banks to watch for suspicious activity that could indicate a customer has been recruited as a mule.

via FBI Says ‘Money Mule’ Scams Now Top $100 Million | Threat Level | Wired.com.

Shoplifters? Studies Say Keep an Eye on Workers

Posted in POS,Retail,Security by ebs4pos on December 29, 2009

At the Saks flagship store in Manhattan, a 23-year-old sales clerk was caught recently ringing up $130,000 in false merchandise returns and siphoning the money onto a gift card.“Gift card fraud is spiking,” said Joshua Bamfield, author of the Global Retail Theft Barometer, an annual international survey of retailers. “To employees, this is like currency. It’s almost as good as the U.S. dollar.”After all, walking out with a little card in the wallet is a whole lot easier than lugging a big-screen TV out the rear of a store.

via Shoplifters? Studies Say Keep an Eye on Workers – NYTimes.com.

Next Page »