New Payment Card Standards Go Beyond Compliance

Standards can be a way to get organizations to do things you want them to do, but oftentimes they don’t get them to do much more.

The writers of payment-card standards appear to have been acutely aware of that phenomenon when the PCI Security Standards Council previewed their new PCI DSS 3.0 standard earlier this month.

“The existing PCI standard focuses clients on specific elements that are to be secured at a point in time — when the auditor is there — to get a PCI signoff for another year,” Philip Lieberman, CEO of Lieberman Software, told TechNewsWorld. “For most merchants, the existing PCI standard is a one-time pain per year where things are cleaned up, and the bad security practices return almost immediately after the auditor leaves.”

The new PCI standard won’t be music to the ears for security hands who worship notion of the inviolate perimeter: “The new standard recognizes that perimeter breaches are a regular occurrence and outsiders regularly have access to credit card information,” Lieberman said.

“Given that the perimeter is no longer secure, the only real mitigation is to have persistent controls within the interior that are both human and technological to minimize losses,” he added. “The new standard properly focuses merchants into a vision of looking at security by process and technology that persists beyond the auditor’s visit.”

Ditching Checkbox Security

The new PCI standard will also encourage merchants to educate their employees about security, suggested Pierluigi Stella, CTO of managed security services providerNetwork Box USA.

“Apparently, the PCI industry has come to realize that while you can throw all the technology the world has to offer at this problem, if you fail to adequately educate the end user and ensure security becomes part of the way they conduct business, nothing will ever work,” Stella told TechNewsWorld.

“There’s absolutely zero use having an armored door if you don’t instruct your employees to keep it always locked and monitor who uses it,” he added.

Stella, too, praised the new guidelines’ departure from the compliance rut: “I’m incredibly relieved to hear that PCI needs to be more focused on security and less on filling up check marks to reach compliance,” he said.

“Compliance doesn’t make you secure, while security will likely make you compliant,” he added.

The new guidelines also appear to be getting ahead of the curve in another security area.

“This preview confirms that the downstream software supply chain is an emerging attack vector that impacts not only the payments industry, but enterprises as well,” Torsten George, vice president for marketing at Agiliance, told TechNewsWorld.

“Increasing requirements for penetration testing, application development lifecycle security and threat modeling all point to the fact that supply chain risks are an escalating concern,” he explained.

“Enterprises will need to go beyond vendor risk surveys and use verification services to test software applications prior to procurement and deployment,” he added.

Mobile Passwords

Simple passwords are common everywhere consumers use passwords, but even more so with mobile phones. The reason for that is as simple as the passwords themselves.

“People generally don’t want to type in a complex password on a mobile device as it is more difficult than a standard keyboard,” Adam Ely, COO and co-founder of Bluebox, told TechNewsWorld.

“Almost all of our customers have commented on this,” he added.

The convenience factor is a daunting one even for network administrators who might have the power to enforce stronger passwords on handsets.

“Even on mobile device management systems designed to allow organizations to enforce more complex authentication, organizations choose not to due to usability issues,” David Britton, vice president of industry solutions for 41st Parameter, told TechNewsWorld.

However, smartphones have features — built-in camera, GPS and voice recognition — that may act in the future as more secure alternatives to passwords.

“Over time, I believe that mobile manufacturers will begin to exploit these alternate capabilities even for device access itself,” Britton predicted, “in the same way that security organizations are beginning to exploit the diverse capabilities of the phone for systems and application authentication.”

Breach Diary

• Aug. 19. U.S. Department of Energy sends notifications to some 14,000 former and present employees that their personally identifying information may have been compromised when an unauthorized person gained access to the agency’s computers. No classified data was targeted in the attack, DOE said.
• Aug. 19. University of Delaware revises estimate of number of records stolen by cyberthieves last month to 74,000. Records included Social Security and university identification numbers.
• Aug. 19. Hope Community Resources of Alaska accidentally emails private, personal and sensitive identity and healthcare information of some 3,700 disabled clients as attachment to a promotion for a survey of the organization’s clients and stakeholders.
• Aug. 20. “Mauritania Attacker” publishes information on more than 15,000 Twitter accounts to the Internet. Information did not include account passwords.
• Aug. 21. U.S. Department of Health and Human Services’ Centers for Medicare and Medicaid Services proposes rule in Federal Register requiring that state health exchanges report data breaches within one hour of learning about them.
• Aug. 21. Bloomberg releases two third-party reports it commissioned recommending that stronger measures be implemented to ensure that the company’s journalists be screened from viewing client information through its financial terminals.
• Aug. 21. Riot Games, maker of League of Legends, which is played by 32 million gamers worldwide, announces it will be resetting the passwords of some of its users due to a breach of a portion of its North American account information. In addition, it said it will be requiring that all new players and existing players making changes to their accounts to provide the company with a valid email address. It will also be implementing two-factor authentication for changes made in an email address or password.
• Aug. 22. Ferris State University began sending out notifications to some 39,000 people after a data breach on its Big Rapids, Mich. campus exposed files containing their names and Social Security numbers to unauthorized parties.

Upcoming Security Events

• Aug. 27. Halon to release study of consumer email security.
• Aug. 27. Bit9 to release 2013 Cybersecurity report.
• Sept. 10. AT&T Cyber Security Conference. New York Hilton Midtown Hotel, Avenue of the Americas, New York City. Free with registration.
• Sept. 11-13. 4th Cybersecurity Framework Workshop. The University of Texas at Dallas, 800 West Campbell Road, Richardson, Texas. Free with registration.
• Sept. 12. Inside the Mind of a Hacker, 9:30 a.m. ET. Webinar sponsored by WatchGuard. Free with registration.
• Sept. 12. Mobile Work Exchange Fall 2013 Town Hall Meeting. Walter E. Washington Convention Center, Washington, D.C. Registration: government, free; non-government, US$495 (Aug. 16-Sept. 11), $595 (Sept. 12).
• Sept. 18-20. Gartner Security & Risk Management Summit 2013. London. Registration: 2,325 euros + VAT; government, 1,800 euros + VAT.
• Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, US$895 member, $1,150 nonmember. After Aug. 20, $995 member, $1,295 non-member.
• Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian /The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early bird to July 31, US$875/$775 government; Standard to Oct. 3, $995/$875 government.
• Oct. 2. Visa Global Security Summit — Responsible Innovation: Building Trust in a Connected World. Ronald Reagan Building and International Trade Center, Washington, D.C. Free with registration.
• Oct. 5. Suits and Spooks. SOHO House, New York City. Registration: Early bird, $US395 (July 5-Aug. 31); $625 (Sept. 1 and after).
• Oct. 8-9. Cyber Maryland 2013. Baltimore Convention Center., Baltimore, Md. Registration: US$495; government, free; academic faculty, $295; student, $55.
• Oct. 17-18. 2013 Cryptologic History Symposium. Johns Hopkins Applied Physics Laboratory’s Kossiakoff Conference Center, Laurel, Md. Registration information to be announced.
• Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early bird to July 26, 895 euros + VAT delegate/ 495 euros + VAT one-day pass; discount to Sept. 27, 995 euros + VAT delegate/595 euros + VAT one-day pass; standard from Sept. 27-Oct.27, 1,095 euros + VAT delegate/695 euros+ VAT one-day pass; onsite from Oct. 28-31, 1,295 euros+ VAT.
• Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles. Registration: Early bird to Sept. 27, $2,075; standard, $2,375; Public sector, $1,975.
• Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit: Risk Management and Security Intelligence for companies in the Middle East and North Africa. Dubai.
• Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.