PCI / CISP Compliance
Background : Core Elements : Non-Compliance Risks : Warning Signs : Ongoing Changes : Next Steps : Further Reading : Self-Assessment
Danger/Warning Signs - and items that require immediate attention:
a. Full digits on credit card receipt, expiration dates (class action, CA law)
b. Software versions of products must be “validated” as acceptable by the credit card companies. Here is Visa’s feeds page/list of “validated” payment applications (regularly updated). The 'source' for Validated Payment Applications comes from the PCI Security Standards organization. These include:
a. POS system versions where they have officially begun encrypting credit card relevant data at the file level.
b. Credit Card storing/processing middleware programs that have been validated.
c. Stand Alone Terminals, whose versions are validated to be compliant.
If the application your establishment is using is not listed, it would be advised to contact the Point of Sale provider to inquire when this validation will occur. Some clarification may be needed, as the Point of Sale may not be the entity storing cardholder data. It could easily be the middleware or stand-alone terminal. If an application being used is compliant in a later version, the merchant should immediately upgrade their systems to the compliant version.
c. A lack of physical security is akin to “no security”. Lack of Physical Security for Credit Card Point of Sale Servers or Signed Credit Card receipts. Always keep these items under lock & key.
d. Standard or “Blank” passwords are unacceptable. All Vendor Supplied, Standard Passwords must be removed from the Point of Sale server and Windows itself. Further suggestions, in the password realm:
a. Too many people accessing programs with full credit card data. How many individuals in the organization need access to full credit card numbers? Restrict this number and the business will be less likely to have a problem.
b. Leaving Windows open/logged on, for immediate use with no password - or simply giving everyone that needs access to the POS a specific username and password that changes every 60-90 days AND logs off after 15 minutes of inactivity is the goal, as we see it.
c. Don’t leave POS application in a position to not require login/password. Don’t use auto-login for Windows (where possible) and force the POS application to log off, rather than remain open.
e. In regards to Remote Access
a. Leaving Remote Access Application awaiting the “world” is an open invitation for a breach.
b. Lack of signed contracts indicating Technical Staff’s responsibility to log all activity, when utilizing remote access sessions.
c. VPN/SSL sessions must be used. Anything short of this is irresponsible.
d. The lack of two-factor authentication on the entry into the business over the Internet is also considered a breach.
e. Home access by employees or owner of the business will need to follow the same set of protocols listed above.
If these things are not in place, leaving all remote access “off” or in a position of “Acknowledgement” is a first step with a near term goal of attaining all of these capabilities. Secondarily, refer to the logging rules and two-factor authentication required by the Payment Card Industry.
f. Unhindered Wireless access on the POS segment is a huge gap in many organizations. If secure /insecure wireless access exists on the POS segment (the internal layer of a business network), a hidden opportunity for a breach is wide open. If the establishment provides wireless access in any way to the Point of Sale Network segment, you are most likely out of compliance. Latest news is that WEP (the original wireless authentication) and WPA (the more secure of the two wireless authentication methods), encryption standards (used pretty extensively), now have the possibility of being compromised (see the following articles: 1, 2, 3, 4). It would be crucial to keep this network separate from your existing network. If this is unaffordable, the standards indicate that the SSID (network name) should be “hidden”. There are some pundits that suggest anything short of “visible” SSID, WPA2 encryption, and complex passwords would be irresponsible and an opportunity for those crafty hackers to break in very easily.
Sotapop Consulting
PO Box 192061
(415) 647-0550 office
(650) 996-6241 cell
support@sotapop.org