RCR 030: PCI-DSS (Part I)

Mar 26, 2019

SubscribeiTunes | Goggle Play | Stitcher Radio | RSS

Description:

Shon Gerber from ReduceCyberRisk.com reveals to you the steps and the cybersecurity training you need to grow your Information Security career while protecting your business and reduce your company’s cyber risk. Shon utilizes his expansive knowledge while providing superior training from his years of cybersecurity experience.

In this episode, Shon will talk about recent security news: US Chemical Firms Cyber Attack; New Jersey Privacy Bill – PII Breach Notification; Vulnerability Assessments vs. Penetration Testing

Our Cybersecurity Training for the Week is:  PCI-DSS Training – Part I

As always, utilize Shon’s cybersecurity training to help fulfill your Continuing Education credits for your CISSP or other security certification.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com – https://reducecyberrisk.com/

Facebook – https://www.facebook.com/CyberRiskRed…

Transcript:

 

Welcome to th reduce cyber risk podcast and the plan is for today is as as we all know cyber security risks are there everyday all the day every day all days every week all the time every time I said news there is tons of stuff that’s going on and what we tie into a lot of the cybersecurity stuff that you see in the news today I’m much of it is you’ll see a different hacks that occurred so forth but if you’ve been listening to podcast for a while one of the things that I focus on from reduce Everest point of view is around the cyber security professional and some aspects that you may want to be concerned of as you are looking for enhancing your career along with protecting your company and if you are looking for a certification around the cissp a great place to augment that training that you might be looking forward to get that certification they also the cool part about reduce cyber risk from a standpoint of podcast goes you can get a CPE one credit hour with Sans if you work on your cissp especially if it comes to relating to getting your security professional certificates all taken care of a done all right three main topics will roll into it and then we will throw into some training but the first topic is going to be u.s. chemicals firm and a cyberattack that’s hit them all the second was going to run the New Jersey bill which is broadening the pii breach notification and then finally vulnerability assessments versus penetration testing and it will get into some of the nuances of that finally the last piece of that’s going to be the cyber security training is going to be around pci-dss which is your payment card industry data security standards part 1 I have to break into a couple parts because honestly it’s pretty exhausted and I didn’t and it’s pretty much an overview so that’s pci-dss as well search people are always looking for it and we’re going to get today US Chemical firms in a attack on this reported by security basically. Comes down to is there was two major US companies that were recently hacked now what they had happened was they were affected by a product called Locker Goga names like Locker Goga like Bill or Fred Butner now it’s a ransomware that is hit a these two US base companies near chemical companies accion and momentive and the issue around that is is the the malware that was used on these two systems was very similar to the attack that occurred against norsk hydro which is a Norwegian aluminum company that was attacked last week with some ransomware as we all know ransomware running throughout the everybody’s networks and their Sports points of that that will affect almost every company the biggest issues always is the fact that these are chemical companies and so therefore it’s imperative that you don’t want things to kind of go south on those so it is ransomware rolled into this environment and with the I’ll get a little bit into the UK surround what happened to North but these two major companies had dealt with this and it was very very similar to what was seen at norsk they basically said it impacted the corporate functions so didn’t actually get into the process Network which would be pretty bad but it didn’t pack the corporate aspects of it and then these are owned by the same investor group so basically the group that own back siano’s momento so what investor group owns them both and they said that there’s hundreds of they had to order in hundreds of new computers along with provisioning new email account so it’s kind of interesting points that came into in the FBI talks about this as well is the fact of do not paying I will see what I see on a momentum of decide to do but norsk Hydro did not pay and that was last week one thing is very similar on this is that it attempted to use active directory credentials and what kind of going to that little bit around a use case that was with norsk so as I said that that that about 35,000 employees globally a very large aluminum company out of Norway Tuesday morning everything they showed up and it’s all locked up not good and because of that they’re it folks couldn’t get in they they couldn’t do anything with the systems at all they actually had to degrade themselves to what they call a manual mode which basically means pulls all of it out of the mix so all of their processing everything they’re doing some tracking orders did you name it was all done via pen and paper so that they had to kind of make some changes of that another one of the points that they had mentioned good job with was around the incident response aspects in the fact that what they did was their able to get up a website up and operational it communicated with people they a lot like it was interesting in the fact that typically when this is a publicly traded company typically what a breach occurs the stock or the share prices will drop actually because of the way Northeast handled it their share price is actually went up so that that has actually a very telling sign to to give to anybody that’s in the cybersecurity space that how important that incident response process actually is so one of the things are recommended was that they had done all that they had actually provision new systems new equipment the other thing that was interesting about the attack that actually helped Stave off some of the issues that mean they basically a full meltdown mode but there were some key aspects of communication that they were able to get around and one of those ransomware came in and we all know ransomware goes in and encryption hard-drive based on a vulnerable system or a Crip subaudible system in general what happens is is that you lose everything if you have Outlook if you have in your exchange whatever might be within your environment if it gets encrypted you’re done so well they were actually able to communicate and help through the incident response process point taken it’s good to have officers relating to some of these issues because they’re independent of what you might have on-site nothing is interesting about all this is that their peers that a domain admin was compromised and his domain admin account that was compromised at least one allowed them to replicate their Trojan the basically the locker Go-Go Kate it via active directory a vs a standard worm that would prefer proliferate through your environment by using a it’s actually quite smart you’re not going to turn active directory off in most cases so it allowed it to prolific proliferate and look for vulnerable systems so it’ll be these are chemical companies that have been attacked I mean bottom line is our big Enterprise I don’t know if it’s Focus specifically on chemical companies as a whole but other than the fact that they are big Enterprises and their big business one of the things that doesn’t run into these issues and it’s really important is the fact that you segregate your networks if you do have a process Network you work hard to segregated and an option out there is call the Purdue model and I believe it is a 99 but bottom line networks apart you do not want them together just for reasons like this where Locker go go rolls into town and if they’re together under one big Network way and things get really dicey really quick if they’re separated well then you may lose some of your business functionality but you may not necessarily lose part of your process Network interesting part US Chemical firms are attacked and we’ll see what comes of it but bottom line big takeaways and incident response New Jersey bill that is just proposed in New Jersey from the state senators around broadening pii breach notification the reason I bring this up is because this New Jersey as another state is bringing up this breach notification Clause are basically laws that are coming out that those are trying to put forward and this Falls in line of what’s Happening main California Ohio and so forth as he states are waiting for the federal government to come up with a plan around breach notification very similar to what would be around gdpr which is your general data privacy regulation that is within the European Union the federal government to make a decision and do these things the New Jersey Bill and what does it was reported by ASC magazine it basically includes usernames and passwords email addresses and security questions so if any of these things happen during a breach you must notify be notified by the company I got business in New Jersey and I’ve got individuals that could potentially been breached their data was breached and they live in New Jersey then these things would potentially affect me from a legality standpoint password email addresses or security questions then therefore I must give some level of acknowledgement to that other sponsor is state senator Troy Singleton is a Democrat out of Burlington and this is one is Bill s52 his also is working in conjunction with another bill that’s a 35-40 yeah that’s that’s not really right but anyway yeah that could be that too anyway moving on so the 5-day alerting is what does a 3541 has got it set up where like gdpr where you study 2 hours to report an incident they want to put in a five-day alerting amount for any company that deals with breach so as you see the importance of all of this is that it’s going to continue to change is always going to be situations until the United States a federal government comes up with some level of privacy law that will affect all the states so it’ll happen at some point it’s just a matter of how this all plays out the interesting part is that now if you’re a multinational company or trying to do with all these different state privacy regulations and bi breach notification regulations this is the one reporting SC magazine Jersey Bill broadening pii breach fights on this next one word talk about vulnerability assessment vs. penetration testing now this comes from out of IBM security intelligence in this is out of article they had out there and that you like just get into the the different hacks are out there cuz bottom-line there’s hats everywhere the goal is to one’s that I feel from a security point of view will help you as a screw National along with Aries a little Clarity and this is one of those to help out a little for all you that might be listening and watching for my podcast or from the video also did help sadlo clarity in my own mind as I put these things together I learn a ton as a relates to different aspects and how I could be better at what I do and along with that this is one thing that I just didn’t even think of but I understand vulnerability Assessments in my background again for a while working for the government did vulnerability assessments did penetration test did all those things but that has changed dramatically from when I was doing this as a red team won the past well the cloud will you two halves you have a system and you’d want to do vulnerability assessment or an ascan on that system make sure it’s not vulnerable and you put her out in the service right and ready to go will now at the cloud being the future it is incredible what is connected to what I was watching through a video today on some Cloud AWS aspects and one thing I learned is I saw all the capability that just continues to grow within AWS as a as a whole and it’s just there’s no way you can keep up with it this is one of those cans were great when the past when you had to do skin now the penetration testing are going to be extremely extremely valuable just because of the simple fact that now is you get in the cloud environment you can’t test everything and so you also gives you ability to go and be a very laser-like focus on certain specific ideal you would do this on areas that are of highest risk give me an example of what is a vulnerability assessment it’s a Brodsky at the broad assessment of what’s going on typically it’s a vulnerability scanning engine that’s actually going out there and hitting your site looking for for potential out-of-date patches abilities whatever might be a penetration test is usually takes the information from a vulnerability assessment then gets a laser-like focus on areas that it sees as a place that I could take advantage of and then it just drills into that to see how far I can go that is a penetration test and in so in the past that you’ve been had very manual exercises would have dealt with scanning and also with penetration testing will now this is all getting automated and this comes out from the scans itself to the penetration testing summer has been automated I say that what I’ve learned is that things go sideways really quick in a pen test that you have very little control especially if you put on an automated scan so you may want to consider whether or not you want to do that or not now deal with PCI DSS cuz our lesson today is on pci-dss but the vulnerability scans in the past with survice suffice you’d have a qualified security Vending Company you know they would go out and they would they would scan your website and they still do right but that is what a these people do when they would just scan looking for vulnerabilities give you a report and then you go fix them PCI DSS 3.2 implemented penetration testing methodology and you must validate the segmentation that you’ve put in place for your network via pentas so you can’t discuss can cause a scandal just got to do a periphery you’ve got to use a pentester dig deeper to go yeah yeah he did say he or she did separate their Network vs. out-of-network Salt Flat so those are just a speck to run the PCI DSS you going to have to be aware of and that’s a really cool augment to the the trainer have a day but bottom line is the new pci-dss you do must you must need to implement some level of penetration testing methodology as you’re going through this and again that’s all dependent upon what is your SAQ and that’s your self-assessment questionnaire how does that play how do you play into that but that’s going to go get into it that here in just a little bit that they had talked about that I being screwed was the vulnerability assessment is like your office. unlocked letting you somebody in the pen test would be what would the criminals do once they’re in how deep would they go what would they look for that’s the pen test so I get done and both of our ability tests are great there they’re very standard they they find them issues that are vulnerabilities are out there the pen test is when you can basically that bank open and get all the money out of it and but they are very very labor-intensive there’s a lot of work to him so but that’s the vulnerability assessments and penetration test T magazine and security week all those out at reduce cyber risk and you also can check them out here on YouTube all right let’s roll into our training all right I just yungerberg and we are on this part of the CIA CID SS the topic that many people deal with on a yearly basis as they have to deal with their payment card industry requirements from the council that requires them to have some level of data security standard so we’re going to get into pci-dss you can do as a cyber security professional on how to protect your environment and with regard to the PCI DSS requirements so as we’re dealing with PCI DSS there is a lot of things need to consider and PCI deals with the payment card industry and need the pink registry came up with some standards that they had that they wanted people to follow and as they did that they said that there’s important aspects that come along with it and those important aspects are things at retailers or vendors people utilizing their services must put in place to protect their card data if you don’t do that then we would end up happening is that you would lose the ability to have you like cards for your environment so if you’re up a free chat retailer or a some sort of vendor of some kind and you have credit cards that you won’t accept payment on for then what you have to have is you at the meet these standards if you meet these standards cart if you do not meet these standards then what would end up happening is they would revoke that capability from you and so then if you can’t you like credit cards and in today’s world with all the aspects around credit cards that would be very hard for you to operate so what they want they want you to meet these standards and so there’s a lot that goes into this and that standard if you are in the requirement for pci-dss the websites out there walk you through a lot of the different aspects reduce upper wrist will have things on our website around this overtime but it wasn’t it’s in this is an overview aspect of what you need to worry about as relating to pci-dss so we’ll first get into that first steps steps this program and you first need to do to assess and that’s cause comes down to is United me identify any cardholder data that you won’t have to take in into you may have to maintain so if you know that you’re taking credit card information of individuals you need to be aware of it right so you can’t just go I didn’t know I collected it was that that ass not going to work so you have to be aware of what data that you are actually collecting on individuals the second thing you need to give you considering of these off all I was Standard Security practices and if you are a business that’s dealing with this or your security professional these are the basics that you really must do as you’re relating to protecting your overall network not just to even say the PCI environment is used to identify of Ice-T assets and business process payment card processing stuff so basically anything that processes credit cards you need to be aware of it credit card information then you need to be understanding what what does that mean where is that server located at and what does it touch what switch does it connect to does it connect to the outside internet are there mobile devices that are connected to it is there Wireless other types of Wireless connectivity connected to it all of those aspects you need to be connected with an understanding wizard inventory your it assets okay so there’s a threat that’s the first first part of Step One is assess then the last thing you need to do on assess if you need to analyze the vulnerabilities for data exposure what does that mean we’re basically if you have data that you’re shipping out due to the your credit card transactions that you’re taking you need to understand the vulnerabilities with that shows an example you have a credit card machine that’s the electronic credit card machine in the dumps to a computer that sit in the back of the office and this computer in the back of the office is running on Windows XP okay which is like way old about ready Etude I was built back in the late 90s kind of thing right the bottom line is it’s really really really really old so if it’s really over like that and you are putting credit card data on it well that would be a vulnerability and that would be something that you would want to have fit in that you want to have a more updated system most likely probably a Windows 10 Windows system that’s operating with current patch levels so that the point of that is is that you need to consider what are the different vulnerabilities if your data is out there and being exposed II that are you know that I was in your environment so if you know there’s an issue such as you have wireless connected to the same environment that you have your credit card payments being done then you need to probably have that wireless turned off you need to have it segregated from your own personal network from your business Network so those are things you need to fix immediately another one is don’t store credit card data unless it’s absolutely required this is something that you got can’t strike hold that data you now responsible you will be held liable for the protection of that data so if there’s opportunities where you can keep that data in are not keep it and move it on to somebody else and pass that risk on somebody else due to take on a third-party third-party processor then that’s a better option for you now in many cases you can’t do that so if you can’t then you need to look at ways to protect yourself but bottom line is do not store any card data any longer than you actually have to end if you don’t have to start report words that are our remediation reports that you have to submit to the credit card agencies that you utilize our cards letting them know that you what you’re doing and how you’re protecting your information in some cases not not all cases of that way if you don’t there’s a will get into these self-assessment questionnaire is it count as a q’s in some cases it depending upon the vendor say you collect credit cards on your website but there’s a what we call an API but bottom line is that when the credit card transaction is put into your computer it’s never really touches your computer it moves on to somebody else through this third party and someone because of that then what would end up happening is as you wouldn’t have to file a report I don’t say Sean said reduce at risk going to have to do report while that would be a bad okay so just don’t do that second thing is you need to be aware of what you need to submit what you don’t but that’s an example of how you may not have to submit reports to the credit card companies because you’re basically the past through in that you’re just bringing people to the website with the all the credit card information is staying morals contain within a third parties application banks in car brand Sicilian that’s that’s what you have to do depending upon your requirements nursing Technical and operational requirements to be considered as it relates to a PCI security standards that these These are set by the PCI security standards Council of PC is cssc and they were designed to protect the cardholder data and basically it comes out of level standards that needed to be in place and it’s also designed to manage the security standard into to give them in his things change how do they provide those standards to individual their enforcement is the founding members of this group so that their got your American Express or discover discover Financial JCB International MasterCard worldwide Visa worldwide and Visa as well and all those those are the main branches that have enforcement on the security standards Council and they’re the ones that are setting me security standards because I came to an agreement that this is what they need to do and if they do that then and they can get the vendors to manage those security issues and hold on to those then the odds are high that they will meet those system standpoint now there’s three different types of standards that are Vault there’s a PCI Data security standard which of the DSs which typical UC pci-dss there’s a pin transaction security requirements now these are for briefly here in a little bit but the pins that you set up you know you’re one two three four five those kind of pins that are tied to your car and then yours your payment application data security standard pa-dss let’s deal with it the actual application development and what you need to be concerned with when you’re creating applications that specifically accept credit card data now for the PCI Data security standard who is this okay so this is basically sustainer for all entities whose process store or transmit card data that’s the PCI Data security standard was designed for the PCI DSS and the point of it was was to build basically, mirror set of best practices now if you if you look at the best practices that are tied to pci-dss they’re very similar to what you get for any sort of cybersecurity standard for Best Practices anyway now they follow along those lines and they’re designed to educate people that may not be the most smart or the most educated on cybersecurity standard really quite foolish in most cases and honestly I’ve got a third grade education in pretty much but bottom line is they were designing these to help people who don’t deal with this stuff on a daily basis A friend of mine has a daycare and she asked me about these standards and what do they mean and how does she work on it what it was a firewall so those are all aspects that it can be very confusing to somebody especially if they’re just getting started and so as an individual especially as we get into this where you could his up security professional be a assessor or in a situation where just you’re providing guidance and direction it’s really good to understand one the basic security tenants that we want to try to maintain but also to be able to translate that into a understandable language of these people can understand if your business is a great way to do you like what we get on reduce cyber risk to help you with these controls because a lot of things that we talked about on reduce cyber risk will fit these controls as well what are the main controls are dealing with we need to build and maintain a secure network that you don’t know what that is your like I have no idea bottom line is your firewall you can have things segregated and if at the bare minimum if you didn’t know what else to do that again cuz you’re everybody’s network is different and how you set it up is very different but is at a bare minimum do not have anything that accept credit card information on the same network that you had your business Network just don’t do it if you can do that that’s a huge benefit to you it’ll save you a bunch of time a headache and it may be a little more expensive in the short-term but in the long-term by segregating those networks it’s just well worth it but you build and maintain a secure network firewalls and all the things are going to building in infrastructure around your security you protect the cardholder data how do you protect that information that’s coming into you what are you doing with it are you encrypting it while it’s sitting in your your system would you have to do all of those aspects basically have the ability to fight you find patch the holes in your environment do you fix them that’s just kind of comes down to give them a strong Access Control measures you don’t let the guy that you just hired that does the ice cream at your restaurant have access to the credit card system now you made process credit card but you don’t let him have access to the main system and if you didn’t let him have access to the main system then he has right that our perspective based on his role so they called role-based access controls and we’ll get into that here a little bit but you he is very specific roles based very specific abilities based on his role test the network see you may have the ability that you have to you may have to have penetration test done you may have to have a vulnerability scans done on your environment you but you need to test your network to make sure that they are patched updated and protect it security policy do you have this document anywhere we decided to do it but do you really have the document that you actually do what you say you’re going to do in those are important pieces because a lot of people when I just paper well it is but it also shows that you taken time to understand what are the risk how are you going to mitigate those wrist what are what you going to do to fix them and and how do you do how did you do that would you implement a third-party to come help you fix them do you say you’re going to do it all yourself I just want to know that you’ve thought this through and that you’re following what you say you’re going to do when you’re setting the compliance there they set a set of standard PCI Security Council did each company has an awesome program for enforcement and compliance so that basically means is American Express has their own thing you have to do for enforcement and compliance which means you may have your own their own report that they want you to file someone stole my Visa may have another report they want you to file but bottom line is each of them will have something they want you to follow that the standards are basically to get you in the right ballpark the DSs data security standards are but then when it comes to filing reports and so forth each of the credit card companies will have their own set that was plenty of third-party software out there that will help you with all of this and there’s plenty of people that will help you get your system up and running around it but the bottom line is you have to know the basics especially as you’re communicating with them on setting up an environment what does that mean how is that set up another thing I’ve run into is like with churches so it might my church where they have bility to Dick’s credit card information now they actually have a it’s all online they have companies that will do that for them and so they take that the PCI standards that they would have to do in the past some of that has been transferred to this company because it’s all a line I say that though if they are accepting credit cards in any other format other than through a specific API on a website now they they still have to follow those PCI standard so that it’s it’s really kind of tricky because you got to be careful it isn’t just worried about it now you still have to educate yourself on these standards as well now security assessment questionnaires these are tools that are designed to basically report on compliance and they created these to help people understand what they need to do next how you deal with this right and they’re based on the business environment so depending upon what your business environment is will depend upon what you have to do so can I dilute to this a little bit do you have to go through a bunch process is to make sure that you meet the PCI standards couple of examples that are out there for businesses different types of security assessment questionnaires is you have your SAQ a EP which is your Echo Papa bravo bravo – India Papa Charlie – Victor Tango Charlie Ed Merchants D Merchants D service providers in Sulphur call that there if you’re listening to this on podcast Republic I did say it’s just an alphabet soup of what you need to worry about when it comes to the self-assessment questionnaire each of those has their own what you can and cannot do any couple examples I have out there’s one of his card is not present Merchants okay so basically what it comes down to is your Merchant you do not keep the card is if they don’t have the car they do it all online right until the car is not present in your hands you don’t see it and so it’s all that functionality is outsourced to a third party so you don’t keep it in the car hold a day that you don’t have to worry about anything like that what ends up happening then as you just you follow the SAQ a right now if you’re dealing with a partially Out Source e-commerce Merchant where maybe you have some of that stuff is kept on your servers that you may have it’s not there is some transactional aspects ever happened with your website like I use an example of we have a membership site that’s going to be setting up until what would end up happening is is because of that I do we will be accepting credit card information while they accept credit card information but it’s done through and it’s partially outsourcer the e-commerce aspect of this so it would fall it falls under the SAQ be is where I would put that at he was utilizing a third-party website for payment processing such as PayPal stripe so on so forth it does to shbp does have requirements about what I have to do to protect my website with since it’s all outsourced with other parties even then it’s pretty simple now if you have hosted your own website and you had your own CMS that sit in your own environment then that’s a different animal you have to maintain how do you protect that website from outside hackers and so forth so again there’s different aspects that you have to do is a QA it again card-not-present merchants and then as a QB is partially Outsource but if you go through the alphabet soup of a bee the shorter version of that as well be an a****** and so forth are different ways that the things that are out there that you can do to to manage this stuff so again they walk you through the different self assessment questionnaires of what’s important to you and your environment need a qualified assessor and approved scanning vendor now these are programs that assisted facility in compliance with PCI DSS depending upon which one of those buckets you fall into you may have to have a qualified assessor come validate that you actually do what you say you’re going to do now in most cases that I’m aware of it again I’m not a PCI DSS Guru by any stretch help you with that if that’s what you need there those are in the higher-level aspects of the PCI environment so if you’re in the service providers and so forth and most of those cases they have her quarterly requirements to get assessed by an individual or company that will then qualify them to make sure that they are protecting the credit card data the weather supposed to so those are qualified assessors and they are approved by the council to assess the compliance of what an individual’s doing so those those qualified assessors will come out while usually wants a quarter and they will look at your environment and it could be as simple as that you have to file a report with them and communicate with them or could be that they have boots on the ground it just depends upon the situation and what you are actually as a provider there’s also no proof skinny vendor if you have evolved website that is required the collect payment card information and do to your SAQ you have to get the site scan on a routine basis for vulnerabilities these qualified scanning vendors will do that and what they do such as you like nuts Parker or there’s other tools out there that that will do this but they will scan your website for vulnerabilities and then they’ll provide a report to you to get these vulnerabilities that’s the purpose of the scanning scanning vendors this again this comes down to the the site facing a self-assessment questionnaire on whether you need one of these are not my recommendation know is if you are collecting any sort of credit card information whether you are a e-commerce Fender like myself that was pushing it through a third-party you still should have your side scan and and this can be done in multiple ways you don’t have to pay for someone to do that if you’re small operator depend on your wrist you can you can do that yourself but bottom line is that should be done as well just to ensure that you don’t have vulnerabilities that are open within your environment transaction security requirements upci what are the key aspects of this is this applies to companies that make devices that accept personal identify identification numbers pins right so you put in the chip on your card and realistically that chip all that ship is really designed to do it to provide a second Factor authentication it doesn’t really do anything other than that they have some future enhance was built into it that they want to utilize with it but when you put that in and then you tied up with your PIN it says yeah that this pain is associated with that number or with that car it’s also is the fact that if you have a so you have that with a debit card now if you have a credit card and you use your credit card has no pin to it all that saying is that that chip is is confirming that this is a physical card yes it’s a legitimate card and it communicates via that way so it’s just another factor of authentications what it utilizes you like that picture but much in a much broader detailed in the United States because the United States is a little bit but again has more functionality that’s built into it you’ll see in the future they recognize elapsed to adherence to PTSD requirements and so what happens is they they realized that there were there were gaps in when people were creating these products are they came up with a standard requirements for anybody who is adding pins to these these credit cards and what they need to do is they also have this set up the standard is for financial institutions Merchants to also ensure that they have the appropriate pts devices so when you go to the your store and you entering your pin your you put in your car near your pin in and they want to ensure that it meets these requirements to do that the one thing I’ve always struggled with with those card readers and they’re at their plastic little things and I’m like they just they don’t look real and I assume that there’s a reason for that one probably to keep costs down but too late they just look kind of clunky and it’s just kind of interesting that but I know they do this acute very lightweight they don’t want to put a lot of money into it and plus the more code that you add into these things so it from a development standpoint the more overhead in the more features you add to these these devices the more areas for vulnerabilities to be incorporated into the environment so I’m sure that plays into this quite a bit and I still look like the pts requirements cover physical and logical security coming through as you now have a credit card right so you’ve a physical security of that device they also cover The Logical security when that data is connected and taken from that card and it’s transmitted to the credit card company is it encrypted during transmission is there is there any Resident credit card data that stored in memory how is that managed if it is is it segregated from the rest of the network how do they manage that that data from the motor that goes in to the moment that it gets put to get sent to the company because hackers are smart and they’re going to do what they’re going to follow the money explain it and if there’s credit card numbers that are sitting resident on a computer system that they can manipulate they’ll do that so that it’s kind of security standards that are kind of it is security standards that are set up specifically to help break up the physical and logical security now payment application data security standards what is that back in January of 2019 and it’s basically around the security software that you’re the software that you’re craving for the these devices and for collecting credit card information that’s based on the PCI software security framework which consists of two aspects of PCI security software standard and the PCI secure life cycle SLC so those two pieces fall under the software security framework and helped we talked a little bit about that the change that happened that the good thing about this is that because more people are utilizing credit card data online they had to make some changes to their security standard so as an example I know right now in China that use WeChat a lot and they use credit card data on the WeChat now they don’t do the typical United States where they’re scanning credit cards all the time they just have all that stuff integrated within the applications United States a little bit slower in that regard I don’t know if it’s good or bad or different but adoption of Apple pay in those kind of pay methods are a little bit slower in the United States but that’s but they are taking off in the Western in the Asian countries stop for vendors secure payment applications so basically is is that it helps them to go segregate the data ensure that they don’t store prohibited data which would be in in the many cases it’s the the number of the actual credit card number itself and so it helps them to not store this data it does not include applications development early so what that basically means is that forces them that if you have a offender that’s creating it that the standards apply but if you build is homegrown solution these do not apply to that now the bad side of that is that if you are building these internally you need to follow some level of standard as well as you create the stuff but they have no way of forcing you on anything as far as you develop internally within your own company to accept credit card numbers however I will say one thing to be concerned with his if you do that you know open yourself up to some significant risk in my mind again but my lawyer but I can tell you that from a security point of view just because they it unless it’s in your comparative advantage to do so on a routine basis to build this kind of software their eyes are high you will have incorporate vulnerabilities and risk into that code so I highly recommend highly knock on wood that you purchase a third-party software that this is what they do for my development spit standpoint especially dealing with some sort of credit card information just to reduce your risk you just you don’t want to you don’t take on that liability will using a propane application support purpose of that is are you using approve payment points are you using stripe are using its PayPal are you using some other product that’s collecting payment card data in a way that is follows their standards or are you using Billy Bob’s payment card company that he just stood up last night out of the the bowels of the Bayou in Louisiana and if that’s the case well then you probably reset yourself set the standards in place at UD ensuring these developers are actually following as a set of standard to create applications that will meet what they are looking for to protect their card data that’s all I have for the part one of the PCI DSS security controls here on reduce cyber-risk check this out or do cyber risk, great stuff there will be rolling in next week to PCI DSS number which will be the following to protect your company from a business standpoint as 3 professional what you need to know to help protect your company alright have a great day talk to you later

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .