Welcome to the second issue of The Aegis, a newsletter published by The Aegenis Group, Inc. In this issue, the prinicpals of The Aegenis Group discuss a variety of topics including finding track data and PCI DSS compliant hosting. We've also included relevant industry news and events. It's our hope that you find our newsletterr to be an informative and interesting resource.
|
| Aegenis Tips & Tricks
The Aegenis Group Shares Advice on Tough Compliance Questions |
|
Before undertaking PCI DSS remediation, look for ways to reduce the scope of the effort.
Many companies pursue PCI DSS compliance in a linear fashion churning through the 12 high-level and 200+ sub-requirements in a systematic and orderly fashion without considering how to limit the scope of the effort. While this may result in technical compliance it is likely to be a very expensive and difficult undertaking.
The PCI DSS applies only to systems that store, transmit or process Cardholder Data. This environment is called the 'Cardholder Data Environment'. With adequate segmentation and logical controls, this environment can be reduced significantly in most cases resulting in a PCI effort that is a fraction of the original scope. Here are three steps to reduce the scope:
1) Understand where Cardholder Data is stored, transmitted, or processed and consider methods of restricting the type of data. Form a PCI DSS perspective, properly truncated or hashed data is not considered Cardholder Data, if received in such a format.
2) Employ techniques to remove Cardholder Data from systems and applications where it is not truly needed. If, for example, a customer service application only needs the first six and last four digits of the PAN to allow a customer service representative to identify an account, restrict the stored data within the application to only properly truncated data. With adequate segmentation and controls, this application and supporting system may be considered 'out of scope.'
3) Ensure adequate controls are in place to segment the Cardholder Data environment from the corporate or other networks. If your organization employs a 'flat' network architecture, it is likely that many systems will be in scope that have little interaction or support of Cardholder Data. Employ network and application layer controls to limit the size of the environment.
While it may appear to be labor intensive to undergo such a process, the effort of doing so will pale in comparison to the resources required to bring a large, complex environment into strict compliance. |
| Finding Magnetic Stripe Data
Reducing risk by finding and removing prohibited data |
| When considering how to minimize the risk associated with a potential data breach it is critical to think first about the storage of prohibited data such as full Track I or Track II data. While the major card brands all have penalties associated with data breaches, it is greatly increased when prohibited data is involved. As an example, Visa USA publishes their fines associated with 'non compliance' in the event of a data breach. If a company exposes 20,000 Primary Account Numbers (PAN) they can expect a significant fine to be levied against their acquirer by Visa. If, however, the breach exposes full Track I or Track II data, then different rules are applied. Both Visa USA and MasterCard Worldwide have implemented programs in which the acquirer may be responsible for fraud monitoring and reissuance fees. These fees are only applied if magnetic stripe data is exposed.
While brevity prevents us from outlining the specifics in great detail in this newsletter, analysis of the variables has shown that simply by ensuring that magnetic stripe data is never retained acquirers can reduce the potential financial exposure associated with a data compromise by up to 97.3%.
While many organizations do not believe they are storing such data it is unfortunate that many companies do not learn that they do have such data until after a breach occurs. Integrated Point of Sale (IPOS) log files are a favorite target of data thieves. Often, well intentioned merchants will unknowingly store card swipe data (magnetic stripe data) in log files.
To ensure that your organization does not have magnetic stripe data, you should take steps to evaluate all critical systems for such data. For more information on how to located prohibited data, please contact The Aegenis Group at info@aegenis.com. |
| The Aegenis Group Hosts Merchant Only Forum
Onilne Forum Allows Merchants to Ask PCI Related Questions of Peers |
| A common theme among merchants has long been that they would like a place that they can go to ask questions and get advice on the Payment Card Industry Data Security Standard. For the last several years, the only option for merchants has been to ask their Qualified Security Assessor if they had questions. For many, though, that is roughly equivalent to asking the professor if your exam answer is correct - by the time they know your answer it's too late to change it. Recognizing that merchants could benefit significantly from such a forum, The Aegenis Group has created a place where merchants can exchange ideas, experiences and questions about their PCI compliance process.
Merchants can enroll in the forum by visiting this link. After enrolling in The Aegenis Group PCI Forum, users can send an email with your chosen username to merchantforum@aegenis.com requesting access to the Merchant Only forum. To expedite registration, please use a work email. Those that are already registered can simply send an email to the address above. This will allow us to validate that each user is in fact a legitimate merchant member. Each registrant will be screened to ensure that the forum remains a place for merchants only. If you have any questions, or would like more information, please feel free to email us at info@aegenis.com. |
| Industry Events and Happenings
|
|
North American Clearing House Association (NACHA) The Payments Institute East - July 22-26 in Atlanta,Georgia
Midwest Acquirers Association (MWAA) - July 25-27 in Cleveland, OH
Western Payment Alliance - September 9-11, 2007 in Las Vegas, NV
Electronic Transaction Association (ETA) Strategic Networking and Leadership Forum - September 18-20 in Palm Beach, FL
Western States Acquirers Association (WSAA) - October 17-18 in Anahiem, CA | |
|
About The Aegenis Group
The Aegenis Group is dedicated to helping companies navigate the choppy waters of data security, information risk, and privacy regulation. The Aegenis Group believes that the ability to understand not just the regulatory mandates themselves, but their total impact on the business environment can act as a compelling tool for business enablement. From understanding the ways in which your products and services can protect sensitive data to making the right compliance decisions for your business environment, The Aegenis Group can assist your company in facing the risks associated with an increasingly complex landscape of the business world.
Sincerely,
The Aegenis Group
|
|
|
| Upcoming Aegenis Events |
|
Shift4 Real Security Summit Sept 26-27 Las Vegas, NV | |
|
|
