March 16, 2009
Vol 3, Issue 3
The Aegis
A Newsletter Presented by
SPSP
Dear Aegis Subscribers,
As we come to the end of the first quarter of 2009, the SPSP has several new initiatives to announce.  We are pleased that your support has allowed us to undertake these new projects and look forward to your continuing support.  As usual, we also include articles that we hope you will find informative.  This month, we address the climate in the Payment Card Industry.  The current climate is one in which most are recognizing that simply complying with the PCI DSS is not sufficient to adequately protect all personal information in the payment system.  We also address the air of suspicion that permeates the industry - the shifting of blame rather than cooperation.  It is our hope that the SPSP can help in the nurturing of a cooperative environment in which Payment Security Professionals can work together to raise the bar industry wide. 

As always, please feel free to forward the newsletter to anyone you feel might be interested.

Best Regards,


Heather Mark, PhD, CPISM, CISSP, CIPP
Executive Director
888-616-3330 ex. 11

SPSP

Cooperation
In This Issue
Wear Your Seatbelt...
A Collaborative Environment?
PCI DSS Value Survey
Secure Payments Magazine Set to Debut
2009 CPISM/CPISA Training Dates
SPSP Webinars
Upcoming Events
Join the SPSP Today!
About SPSP
Quick Links
The Society of Payment Security Professionals
SPSP News & Articles

Dr. Heather Mark Articles
Dr. Mark frequently writes for Transaction World.  Access her articles click here.
Miss an issue of Aegis?
SPSP posts archived versions of the newsletter on the website.  To see past issues of The Aegis, click here.
Sign up for our Newsletter

Wear Your Seatbelt...and Maybe a Helmet by Chris Mark, CPISM/A, CISSP, CIPP

In the world of payment security, the PCI DSS should be thought of largely like a seatbelt.  We all wear seatbelts when we drive and feel that in the normal course of our daily lives defensive driving, airbags, and our setbelts will protect us in the event of an accident.  Unfortunately, we likely all know people who have been killed in automobile accidents while wearing their seatbelts.  This does not mean that seat belts are not an effective tool for protection, but that they cannot protect in every instance, and are best used in conjunction with other protections (such as the airbags and driving techniques listed above).

It is difficult to argue that wearing a seatbelt is a bad idea.  It simply makes sense in most cases.  It is also difficult to argue that if a person is going to be racing a car or engaging in a automobile stunt show, that additional protections should not be considered.  While a seatbelt is a minimum level of protection for the standard driver, a racecar driver certainly requires additional protection. 

The PCI SSC states:

"The PCI SSC believes that the best way to protect cardholder data that is stored, transmitted, and processed is by implementing the PCI DSS and remaining in full compliance." 

The challenge with the statement listed above is that it suggests that compliance with the PCI DSS alone is sufficient to protect data.  This is akin to saying that, no matter the driving circumstance, whether it be a Sunday drive or 24 hour grand prix, a seatbelt would be sufficient protection.  In today's environment where organized  crime rings  are employing data thieves to steal data, compliance with the PCI DSS alone is akin to driving in a Nascar race while relying only upon your trusty seatbelt to protect you.  When facing organizations like the Russian Business Network, Shadow Crew, BOA Factories, and others, the activity needs to be treated like a race and not an everyday trip to the grocery store.  In our new, fast-paced world seatbelts are important, but helmets are often required.
A Collaborative Environment? by Dr. Heather Mark, PhD, CPISM, CISSP, CIPP


Recently, the conversation in the Payment Card Industry has taken on a decidedly non-collaborative tone.  While everyone in the industry shares a common goal, the protection of sensitive information, there has been a decidedly "dog-eat-dog" atmosphere.  There is a great deal of pointing fingers and shifting blame in the wake of two of the largest data compromises in history.  The media has published stories casting blame on everyone involved - from the companies, to the Qualified Security Assessors, the PCI Security Standards Council, the card brands and everyone in between.  The current environment not only allows such shifting of the blame, but encourages it.

 A prime example of such "pass the buck mentality" is found in the PCI SSC's Frequently Asked Questions.  Many of the answers to these questions contain the phrase, "Ask your QSA."  Yet, depending on your QSA, the answer that you receive may be contrary, if not deleterious, to your business objectives.  That being the case, some companies may choose to take the issue to their acquirer and implement controls devised by their internal IT, risk and/or legal departments.  In some cases, the QSA may then validate the company as compliant.  When a breach occurs, all parties disavow responsibility, even if all parties (the company and its acquirer) cannot disavow liability.  In the aftermath of the breach, when forensics are being conducted and brand damage mitigated, the opportunity to share information and increase the level of protection industry-wide, often goes ignored.

In our industry, we face a very intelligent, very determined adversary on a daily basis.  Our enemies collaborate with one another, yet our industry, one might say our allies, are still reluctant to share information. While we know that breaches are occuring, speculation rather than fact often takes precedence in conversations about how the breach occurred.  "Experts" are quoted in articles and, more often than not, those experts have little insight into the actual event.  

The purpose of this article is not to cast more blame, rather to encourage the collaborative sharing of information among those that share a common purpose.  As those that seek to steal data collaborate, so too must those that seek to protect it.  Rather than casting blame, all stakeholders should participate in a "post-mortem" in which the method of compromise, as well as methods to mitigate that vulnerability, are shared among the industry.  Information must be equally available to everyone seeking to protect the data from compromise.  This is the goal behind the Society of Payment Security Professionals - the sharing of information for the purpose of bettering the security of personal data within the payment card environment.  
PCI DSS Value Survey by SPSP 

The Society of Payment Security Professionals is beginning its collection of information and opinions on payment card security.  We are currently collecting responses to our survey, "The Cost and Value of PCI DSS."  If you'd like to offer your input, please visit the survey here.  The survey is open to both members and non-members and can be taken anonymously.  Results will be published and available to members of the SPSP at no charge.

The survey is the first of many surveys to be conducted that is aimed at discovering attitudes and costs of security initiatives within the payment security space.  At the conclusion of the data collection periods, the SPSP will analyze the responses and publish the findings on our site.  If you have an idea for a survey, please feel free to send it to us, with the subject "Survey Suggestion," at info@paymentsecuritypros.com
Point to Point Encryption Working Group - Final Call

Last month the Society announced the formation of a new Working Group dedicated to Point to Point Encryption.  The response has been great, so we wanted to give our members a final opportunity to be involved with this group.  In recent months Point to Point, or End to End, Encryption has been a hot topic of conversation and has led to many questions and debates.  The Working Group's objectives will include:
  • Enhancing the awareness of secure payment solutions.
  • Providing a forum whereby end-to-end security technology challenges and solutions are presented, discussed, and communicated.
  • Participating, where feasible in user groups, forums, and industry events where the message of the objectives of the working group can be disseminated.
  • Encouraging innovative end-to-end technology solutions across various industry segments of payment transactions.
The PTP Encryption Working Group will be led by Mr. Mark Johnson, CIO of Propay.  Mr. Johnson has more than 23 years of experience in Information Technology.  The SPSP would like to invite others that may be interested to participate in the group.  To request information, or to volunteer for the group, please email us at info@paymentsecuritypros.com.  

Secure Payments Set to Debut by Jeff Heaton, SPSP Marketing Manager

The Society of Payment Security Professionals is proud to announce the debut of its magazine, Secure Payments.  The quarterly magazine focuses on issues of concern to Payment Security Professionals.  With topics ranging from Data Security and Privacy Regulation to Hints and Tips from a former Qualified Security Assessor, the magazine will cover subjects of interest to everyone involved with Payment Security.  The magazine is written by the staff of the SPSP, with featured articles by members of the SPSP.  The intent of the magazine is provide a voice to our members.  The magazine is peer reviewed for technical accuracy, industry knowledge, grammar and syntax in order to provide our members with the highest quality publication possible. If you are interested in writing for the magazine, please contact us  at info@paymentsecuritypros.com with an article idea, and a writing sample. If your suggestion is accepted for publication, we will provide writers' guidelines. 

The magazine is included in the SPSP membership fee.  In order to ensure that you recieve your issues, please make sure that  your member profile is updated with your current address.
2009 CPISM/CPISA Training Dates  & Costs
The Aegenis Group                                                          

Over the last several months, the SPSP has been working to minimize the costs associated with hosting, and therefore attending, CPISM and CPISA training events.  In developing a relationship with a specific facility provider, we have been able to reduce our costs and are passing the savings on to you.  Our new facility provider, StayBridge Suites, is offering our members room rates starting at $109 for a one room suite, and $139 for a two-room suite at the San Francisco training.  Included in this cost is a hot breakfast and happy hour drinks and hors d'oeuvres.   The room rates are only valid until May 25, 2009.  The facility in San Francisco is located only 3 miles from SFO airport and offers complimentary shuttle service within a 5 mile radius of the hotel.  For more information on the hotel, please visit their website

As a result of our partnership, we are able to reduce our training prices.  The new prices, reflected below, also include mid-morning break, mid-afternoon break, and catered lunch.  We are very pleased to offer a $200 reduction in our previously published prices.

CPISA Dates

 
06/09/2009 - 06/12/2009 Boot Camp (4 days)          Early Bird $1250     Regular   $1450         


CPISM Dates

06/10/2009 - 06/12/2009 Boot Camp (3 days)          Early Bird $1050     Regular $1250


To request information about the training and certification, click here. 

For more information about the certifications, please visit our website. 

More dates will be published shortly. 

Have a Large Group?
 
If you are interested in sending 3 or more people to our public training, we can offer group discounts.  If you have a large number of people that you would like to attend the training, you may be interested in our on-site corporate training.  If you would like to ask about our onsite rates or group discounts, please contact us at info@paymentsecuritypros.com or call us at 888-616-3330 ext. 11.
SPSP Webinars

The Society of Payment Security Professionals continues its webinar series in April with a webinar on new technologies and the way in which they impact the security of the payment card environment.  To join us for the webinar, please click the link below.  While anyone is welcome to join us for the webinar, archives will only be available to SPSP members.

April 14, 2009     Emerging Technologies & their Impact on Payment Security  10:00 AM PST
SPSP Events
  • Secure Payments Day (SPSP event) - Summer 2009 - San Fransisco, CA. More details coming shortly.  If you'd like updates, please let us know by emailing us info@paymentsecuritypros.com

Join the Society of Payment Security Professionals and Get In on the Action
The Society now has over 700 members representing 34 Countries on 5 continents.  Of those, almost 200 have now been certified as CPISM and CPISA.  Members include card brands, merchants, consultants, and QSAs.  The Society has  C-Level through entry level employees and welcomes anyone with an interest in Payment Card Security.

As a member you will have access to member only events and information such as whitepapers, articles, webinars, a data breach notification law interactive map, and a subscription to Secure Payments Magazine.  Additionally, membership provides a mechanism to interact with payment card industry security professionals and gain valuable insight into the security issues impacting the payment card industry.  Join Today!
About the Society of Payment Security Professionals

The Society of Payment Security Professionals' objective is to provide individuals and organizations involved in payment security with an online community to share information and access education and certification opportunities. Society members come from a variety of businesses including card brands, merchants, acquirers, issuers, ISOs, and more.  Though their organizations may vary, they all share one purpose:  to protect consumer data using the most current, viable technologies and processes. 
Listen to a podcast about the SPSP


SPSPThe Aegenis Group
CPISMCPISA