Volume 2 Issue: 1
|
January 15, 2008
|
Welcome to The Aegis in 2008! As 2007 proved to be extermely dynamic in terms of new regulations and new technologies for the payments industry, this year will no doubt prove just as interesting. As we start 2008, The Aegenis Group summarizes some new laws that take effect this month, as well as some proposed laws. This will be the first of the new regulatory feature that will be included each month. This month will also feature some hard truths about the effectiveness of scanning alone to ensure compliance.
As always, please feel free to foward this newsletter to anyone who might find it useful.
|
| A New Year, New Laws
New York and California start the year with more data protection laws
January is setting the stage for what will likely continue throughout 2008. At least two states have added protections for additional consumer data and another state has proposed protections which the legislature will vote on this year.
New York - Effective January 1, 2008 all "individuals and non-governmental firms, partnerships, associations and corporations", will be required to adhere to the Social Security Number Protection Law. Not only will communication and printing of the numbers be restricted, but appropriate protections must be in place wherever Social Security Numbers are stored. First time violations are punishable by $1,000 per violation with a cap of $100,000 per instance. Fines for second time violations increase to $5,000 per record and $250,000 per incident.
California - California expanded their data breach notification law with the passage of AB 1298. The new law requires notification in the event of a compromise of electronic medical or health insurance information.
It should also prove interesting to see which, if any, states will follow the footsteps of Minnesota's Plastic Card Security Act.
|
|
|
| Framing the Compliance Conversation
Informed dicussion necessary to achieve compliance
|
By now the majority of companies have at least heard of PCI DSS compliance. Visa Inc. reported record levels for compliance validation in 2007, and product vendors are responding to consumer demand for compliant products and services. With this critical mass comes a plethora of questions surrounding the industry, the standard, regulatory compliance and risk.
Every day almost 1,000 people access the PCI Answers blog and Forum. They browse and participate to exchange information on twists and turns in PCI compliance and its impact on different business models. Questions about scoping, sampling, segmentation and proper data protection methods are common, as are the answers and opinions of all who participate. These forums are great for people to submit questions and get answers, but what about the person who has been tasked with organizing and digesting the large volume of data surrounding PCI compliance? It is said that the majority of information surrounding any knowledge domain is openly available, but codifying it in a structured learning environment takes skill and experience.
Many companies start their compliance process by looking for tools that will make them compliant before understanding what "compliance" means -either in general or in relation to their particular environment. It is important that any company that wishes to understand compliance must first understand the basic building blocks, or taxonomy, that comprise the "compliance conversation." For example, it is ineffective to discuss scoping without first understanding the basics and nuances of Sensitive Authentication Data, Cardholder Data, and the Cardholder Data Environment.
Once the proper taxonomic scheme is outlined, one can assemble these building blocks to create the conversation of compliance. For example, a common question is what defines "adequate segmentation". Most technologists will answer this by saying that firewalls with proper access control lists must be in place, but technology should not be the first step in answering this question. First, one should ask what payment card data is stored within each area of the Cardholder Data Environment. This involves creating an end-to-end transaction flow that classifies data by several vectors including: volume of data, type of data, retention period, protection mechanisms and access rights. Second, one should break down the data types into Sensitive Authentication Data and Cardholder Data. Beyond that one could break down Cardholder Data into PAN information that is not truncated or securely hashed. Now it is possible to define sufficient network segmentation as it pertains to your specific business model.
Properly educating employees about compliance and the nuances of data protection is critical to maintaining open, productive dialogue around compliance. Gaining a broad understanding of these general concepts allows companies to distill them into a useable solution for their specific business environment.
|
Aegenis Tips & Tricks
Scanning as a brick in the security framework
Recently, it was reported that an e-Commerce site was compromised, revealing customer data, despite the fact that the site bore a well-known symbol indicating that it was safe from such attacks. The symbol borne by the website indicated that the site had been scanned and showed no high vulnerabilities. This is further evidence that scanning alone cannot provide assurances of either compliance with the PCI DSS or general information security best practice.
* Scanning is a snapshot - It provides assurances that, on the given day on which the scan was performed, there were no high-level network vulnerabilities. Given the proliferation of zero-day exploits and the creativity of hackers, the fact that there were no high level vulnerabilities on Thursday does not necessarily mean that there will be no such vulnerabilities on Friday.
|
*Scanning is diagnostic, not preventative -
It is not uncommon to hear of companies relying on their scanning as a
means of protection. This can be a dangerous stance to take. Scanning
is not a means of preventing an attack, merely a means diagnosing the
vulnerability to an attack.
*
Scanning searches out network vulnerabilities, not application vulnerabilities - Many of the breaches occuring today take place at the application layer, rather than the network layer. In fact SQL Injection, one of the most commonly used methods of compromise, cannot be detected using scanning.
*Scanning is a component of the information security program, not a replacement for it - Scanning can be a useful tool when used as a part of a robust, well-rounded information security program. Relying on scanning alone can leave a company dangerously exposed to data compromise. However, when used in conjunction with timely patch management, strong internal policies and processes that are actively enforced, data classification and control practices and other elements of security practice, scanning can provide valuable insight.
|
| |
|
| Welcome to Shelley Henson Johnson, M.Ed
Vice President Training and Instructional Design
|
 The Aegenis Group is proud to announce that Shelley Henson Johnson has joined the company. She will be heading Aegenis' training initiatives. She brings significant experience in the use of technology to further education and training. With over ten years of experience in Instructional Design and Technology, Shelley promises to bring exciting new developments to the Aegenis team. To learn more about Shelley, read her bio.
|
| Industry Events and Happenings |
|
National Retail Federation 97th Annual Convention and Expo - January 13-18, 2008 in New York, NY
NACHA Global Payment Strategies 2008 January 22-23, 2008 Belgium
BAI Transpay Conference and Expo February 5-7 Grapevine (Dallas), TX
Electronic Retailing Association Mid-winter Conference and Expo - March 2-4, 2008 Miami, FL
AFP Payments Forum - March 9-11, 2008 Phoenix, AZ
| |
|
About The Aegenis Group
The Aegenis Group is dedicated to helping companies navigate the choppy waters of data security, information risk, and privacy regulation. The Aegenis Group believes that the ability to understand not just the regulatory mandates themselves, but their total impact on the business environment can act as a compelling tool for business enablement. From understanding the ways in which your products and services can protect sensitive data to making the right compliance decisions for your business environment, The Aegenis Group can assist your company in facing the risks associated with an increasingly complex landscape of the business world.
Sincerely,
The Aegenis Group
|
|
|
|
| Read Articles by The Aegenis Group |
|
The Aegenis Group are frequently writers, as well as speakers in the industry. Here are links to recent articles written by Principals of The Aegenis Group:
Dr. Mark recently co-authored an article in Direct Selling News. Read the article, "Protecting Cardholder Data," here.
Michael Dahn has written an article in the Sept. issue of Digital Transactions.
Dr. Mark frequently writes for Transaction World. Access her articles here.
|
|
|
