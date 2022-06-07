Finance
PCI DSS Version 3.0: New Standard But Same Problems?
Introduction
“Cardholder data continues to be a target for criminals. Lack of education and awareness around payment security and poor implementation and maintenance of the PCI Standards leads to many of the security breaches happening today” PCI SSC ‘PCI DSS 3.0 Change Highlights’ – August 2013
Card data theft is still happening so the third revision of the PCI Data Security Standard is as much a re-launch as a revamp.
Many organizations – even Level 1 Merchants – have yet to fully implement all requirements of the PCI DSS V2 or previous versions of the standard, so eyes may well be rolling at a new version of a standard which hasn’t yet been mastered in its previous forms.
This new version is more about refinement and clarification than any introduction of new techniques or technologies to help protect against card data theft, but while losses through card fraud are still on the increase, it is clear that something has to change.
How large is the problem?
In terms of the losses being experienced, you can see why card brands, issuers and banks would still be desperate for better care and attention to be applied to their card numbers. $11Billion was lost last year and that amount is increasing yearly. Bearing in mind that the total value of card payment transactions now exceeds $21 Trillion annually, there is still plenty of money being made from the provision of fast guaranteed payment products. However, any initiative that reduces that $11 Billion loss is worthy of some time and attention. From the most recent Nilsson Report on card fraud:
“Card issuer losses occur mainly at the point of sale from counterfeit cards. Issuers bear the fraud loss if they give merchants authorization to accept the payment. Merchant and acquirer losses occur mainly on card-not-present (CNP) transactions on the Web, at a call center, or through mail order”
PCI compliance isn’t just a card-brand problem that results in your organization having to spend time and money on, but is a way to protect your organization directly from serious risk. This isn’t simply a financial risk either: other factors such as brand protection and customer trust are also lost when a breach occurs.
PCI DSS Version 3.0 – Stick or Twist?
The new version of the PCI DSS isn’t available until early next month so this is an early reveal of what is quite an extensive re-working of the standard. Most of the requirements are carried over with some tweaks and additions which will be covered later but there is also a degree of refinement in the wording throughout the standard.
The overall intention is that the standard aims to promote thinking about security of cardholder data rather than simply driving compliance with the standard. The Security Standards Council are, of course, keen that security best practices are adopted and practiced as a matter of routine rather than just as a ‘once-a-year, big-push-to-keep-an-auditor-happy’ event – as if anyone would do that? J
New items will be considered “best practices” until June 2015, after which they will become official requirements. Furthermore, any organization compliant with PCI DSS 2.0 can stick until January 2015 before adopting the new version of the DSS.
What Has Changed in PCI DSS V3?
So what are the specific changes or new requirements? There are wording changes throughout to encourage more routine focus on the PCI DSS requirements, but there are some detail changes and clarifying language that we can highlight here.
Requirement 2: Vulnerability Management and Hardening
Requirement 2 has always mandated the need to harden server, EPOS, and network device configurations, removing default settings as a minimum, but encouraging the adoption of a NIST or CIS hardening checklist. Detail changes for Version 3 make pass phrases acceptable. Pass phrases make a good alternative to long, complex passwords, being easier to manage and remember, but with equivalent security protection. Hardening, vulnerability management and configuration control is one of the NNT ‘strong hands’, and more detail is available on our website.
Requirement 6: Develop Secure Applications
6.5.6 – Insecure Handling of PAN and SAD in Memory
Just like with Buffer Overflow Protection and SQL Injection Attack mitigation, this is an appeal for application designers to be on their guard. This requirement is aimed specifically at defending against memory scraping malware, and to design in safety features so that CHD and Secure Authentication Data is protected.
The call is to take a step back and consider using programmatic features that prevent unauthorized applications from accessing memory (some development environments are better than others for this). What happens to CHD or SAD during a program crash? (Many attacks take the form of disruption to the application in order to make it ‘cough up’ or dump data). Where possible, can the application completely erase data when no longer needed?
In other words, this is partly an application development challenge (hence being a Requirement 6 item) but also a malware protection issue too. An attacker will need a Trojan or other Malware to scrape memory, so low level FIM can play a part in underwriting coded-protection. In summary, get ready for some more challenging questions from your QSA, so ask your EPoS/eCommerce app providers or in house development team now what they make of this requirement. Potentially this will also prove to be a difficult requirement for a QSA to validate.
6.5.11 – Broken Authentication and Session Management
The detail of this new requirement appears to be asking merchants to mitigate the risk involved with client-side takeovers: assume that trusted clients could become attack vectors. Client-side attacks are one of the most common ways hackers get access to data and as ever, hackers will go for the weakest link. The requirement also intends to put focus on man-in-the-middle style attacks as well.
Interestingly there is also a suggestion that merchants who use re-directed services (like Worldpay for example) may also need to examine their application session management operation for vulnerabilities.
Primarily this is an application design issue (Requirement 6 prefix is a giveaway J ). It highlights a common ‘vulnerability vs. functional’ balance that is tolerated by developers because implementation can create user experiences that are compromised. For example, it is not going to improve sales from a retail web site if, when a customer leaves their shopping cart pre-checkout momentarily, they return to a “session timeout” message. OWASP knowledgebase is your go-to resource for development mitigation.
Requirement 8: Always Use Unique User IDs
8.5.1 – Unique Authentication Credentials for Service Providers
Standard security best practices within and outside of the PCI DSS are to always use unique access credentials for EVERYTHING so you know who is the perpetrator when something untoward takes place. It’s just standard, good practice.
However the need for this to be explicitly highlighted as a requirement suggests that service providers need a reminder that this does apply to them too. Most service providers will be operating securely but they still need to take the same basic precautions and ensure they are using unique credentials (and not just ‘customername+administrator as a username either!)
Requirement 9: Physical Security
9.9 – Protection of Point-of-Sale (POS) Devices from Tampering
Based on cardholder data theft statistics, card skimming and more elaborate variants thereof targeted on the POS equipment are still widespread. This is the ying to the yang of the previously covered, highly technical requirements, reminding Merchants that ‘low tech’ crime still works too.
Requirement 9 has always been intended to convey the message of ‘don’t let anyone touch any of the cardholder data processing equipment’. The Version 3 clarification here explicitly highlights protection of endpoints, leading to the conclusion that Requirement 9 has generally been interpreted as – rightly – being strongly oriented towards the ‘central site’ data center, but at the expense of focus on POS systems.
Requirement 11: Test Security
11.3 Develop and Implement a Methodology for Penetration Testing
This is another ‘new’ requirement that exists to emphasize focus on one of the standard practices that everyone already complies with, but maybe doesn’t do it as well as they might. A classic case of meeting the letter, but not the spirit, of the requirement.
It appears that the market for Pen Testing has become highly commoditized with most vendors offering cost-engineered, highly-automated services. This inevitably has led to tests becoming more superficial (more ‘checkbox approach to compliance’) so this new requirement is a ‘tug on the leash’, forcing the merchant to avoid bad habits and corner-cutting.
This is something very key to the NNT methodology anyway, in that we advocate that classic Security Best Practices are operated, which in turn help to minimize the ‘boom and bust’ approach to vulnerability management that the PCI DSS sometimes engenders.
For example, running annual or quarterly scans, then having to drop everything for a week in order to patch and re-configure devices before repeating the process 3 months later not only makes life hard, but may also render you unsecure for months at a time. NNT works on a continuous basis to continually track changes to devices and allow you to operate more of a ‘trimming’ process to vulnerability management. This approach is more effective, gentler on the network and hosts, and easier on your resources too!
Requirement 12: Maintain a Security Policy
12.9 – Additional Requirement for Service Providers on Data Security
And finally, a clarification of Requirement 12 concerning the use of Cloud or Managed Security Services. The intention is to ensure that service providers properly understand and operate their PCI requirements fully. The DSS places the onus on the merchant to ensure they have a statement acknowledging this and, in turn, Merchants should be indemnified of cardholder data protection by their service provider.
Conclusion
In summary, while there are new requirements, some of which may prove to be challenging to implement and test, nothing changes in terms of intent.
Data security has to be a full-time focus, requiring high levels of operational discipline, with checks and balances to ensure security is being maintained. The PCI DSS attempts to convey this, but has always fallen victim to the need to educate, clarify and mandate security best practices. Data Security isn’t an easy thing to describe or summarize, hence the DSS has ended up with 650 sub-requirements that the Merchant or Payment Processor find complex and ambiguous.
Technology can help, and the opportunity exists to implement highly automated solutions to the bulk of PCI requirements that are neither expensive, nor difficult, to implement and run.
And this new version of the DSS, with greater emphasis on making security a regular habit, is squarely in line with this. In fact, you could simplify the majority of the PCI DSS down to the following steps:
- Implement basic perimeter and endpoint security with Firewalls, IPS and Anti-Virus
- Audit Servers, Databases and Network Devices against NIST or CIS hardening checklists to eliminate vulnerabilities (use your FIM system for this)
- Once devices have been hardened, implement continuous vulnerability monitoring, with real-time malware detection (in other words, real-time File Integrity Monitoring)
- Instigate configuration change control to ensure devices remain secure at all times (FIM again), patch all systems monthly
- Underpin processes with logging and SIEM as a checks and balances audit trail, with regular pen testing and ASV vulnerability scans
Take these steps, and you’ll not just be ahead of the curve for PCI DSS Version 3.0, but probably Version 4.0 too.
How To Borrow Money Against A Shared Inheritance
An heir may have to wait months and even years in order to get their inheritance distributions. This is because of the length of the legal process involved. So, an heir is allowed, by means of cash advances or loans, to receive funds in a matter of days. It has no effect on the other heirs of the estate. A portion of the estate is assigned by the cash advance company, in exchange for the loan. Here is how you can get an advance on your inheritance.
• You need to first determine whether you have the eligibility for an inheritance cash advance or not. Advances are only typically received by the heirs from probate assets. Probate assets are bank accounts, insurance policies, real estate, company interests and other assets that were only owned by the decedent. Non-probate assets include trust, retirement accounts or any accounts that are jointly held with another person.
• You need to first determine what amount of money you want to lend from your shared inheritance. The usual range of inheritance loans and advances are from $5000 to $250000. Select an amount of loan that is less than the inheritance you expect. The amount of the loan is capped by some lenders at a certain percentage of your total expected inheritance.
• Contact a company that has a specialization in inheritance advances. Money can only be borrowed by the inheritors from their inheritance after the beginning of the probate process by the inheritors. Do not forget to ask the inheritance company that for an inheritance advances what fees will they charge. The fees vary depending on companies. Fees usually depend on the amount of the advance, the complexity of the estate and the amount of time until the estate closes.
• A cash advance has to be arranged by you from the lender. Funds can generally be distributed by the companies from advances and loans within a few days of business of the transaction. If sufficient funds are not present to pay the loan, ask the company about its consequences. The heir usually does not have personal liability for insufficient estate funds because the heir is assigned an interest to the company.
• Return the money back to the inheritance cash advance company as early as possible. When the estate closes, executor automatically pays the money to the inheritance cash advance companies as part of the transaction. However, discounts and rebates are offered by some companies for heirs that pay back the loan early.
Payment Processing Services
In order to get a strong customer base and to become capable of selling products online it is necessary that your business offers online payment processing services. Your merchant accounts provider can help you gain potential customers and boost your sales by providing you with various payment processing services which will enable you to accept payments from anywhere at anytime at all. Not offering payment processing services can keep your business behind your competitors.
Providing automated and real-time payment processing services allows your business and customers to have the total freedom for online marketing. A merchant account makes payment processing rather simple and hassle free especially for high volume sales. Although some banks and processors still create problems for business owners to get their own merchant accounts due to the risks involved with payment processing, however with merchant account providers it is a lot more dependable and secure. Having your own merchant account not only enables you to accept the various payments but also allows you to offer your customers with various payment processing options and avoid chargebacks.
With a reliable payment gateway, encrypted servers and secure virtual terminal, payment processing has become safe and lets you process payments in a protected environment. It is always better to have your own merchant account for payment processing needs rather than to depend on your bank or processor solely for this reason. Also with processors and banks you have to pay an extra amount of money just for transaction fees and possibly for other payment processing services but with a merchant account you don’t have to worry about such things.
Having your own merchant account enables you to get various flexible payment processing solutions for your business and it not just reduces the lost sales but also enhances the quality of your services by letting you offer hassle free and convenient services to your customers.
How to Get Your Business Funded in 2018
Contrary to popular belief, business plans do not generate business financing. True, there are many kinds of financing options that require a business plan, but nobody invests in a business plan.
Investors need a business plan as a document that communicates ideas and information, but they invest in a company, in a product, and in people.
Small business financing myths:
Venture capital is a growing opportunity for funding businesses. Actually, venture capital financing is very rare. I’ll explain more later, but assume that only a very few high-growth plans with high-power management teams are venture opportunities.
Bank loans are the most likely option for funding a new business. Actually, banks don’t finance business start-ups. I’ll have more on that later, too. Banks aren’t supposed to invest depositors’ money in new businesses.
Business plans sell investors. Actually, they don’t well-written and convincing business plan (and pitch) can sell investors on your business idea, but you’re also going to have convince those investors that you are worth investing in. When it comes to investment, it’s as much about whether you’re the right person to run your business as it is about the viability of your business idea.
I’m not saying you shouldn’t have a business plan. You should. Your business plan is an essential piece of the funding puzzle, explaining exactly how much money you need, and where it’s going to go, and how long it will take you to earn it back. Everyone you talk to is going to expect to see your business plan.
But, depending on what kind of business you have and what your market opportunities are, you should tailor your funding search and your approach. Don’t waste your time looking for the wrong kind of financing.
Where to look for money
The process of looking for money must match the needs of the company. Where you look for money, and how you look for money, depends on your company and the kind of money you need. There is an enormous difference, for example, between a high-growth internet-related company looking for second-round venture funding and a local retail store looking to finance a second location.
In the following sections of this article, I’ll talk more specifically about different types of investment and lending available, to help you get your business funded.
1. Venture capital
The business of venture capital is frequently misunderstood. Many start-up companies resent venture capital companies for failing to invest in new ventures or risky ventures. People talk about venture capitalists as sharks-because of their supposedly predatory business practices, or sheep-because they supposedly think like a flock, all wanting the same kinds of deals.
This is not the case. The venture capital business is just that-a business. The people we call venture capitalists are business people who are charged with investing other people’s money. They have a professional responsibility to reduce risk as much as possible. They should not take more risk than is absolutely necessary to produce the risk/return ratios that the sources of their capital ask of them.
Venture capital shouldn’t be thought of as a source of funding for any but a very few exceptional startup businesses. Venture capital can’t afford to invest in startups unless there is a rare combination of product opportunity, market opportunity, and proven management. A venture capital investment has to have a reasonable chance of producing a tenfold increase in business value within three years. It needs to focus on newer products and markets that can reasonably project increasing sales by huge multiples over a short period of time. It needs to work with proven managers who have dealt with successful start-ups in the past.
If you are a potential venture capital investment, you probably know it already. You have management team members who have been through that already. You can convince yourself and a room full of intelligent people, that your company can grow ten times over in three years.
If you have to ask whether your new company is a possible venture capital opportunity, it probably isn’t. People in new growth industries, multimedia communications, biotechnology, or the far reaches of high-technology products, generally know about venture capital and venture capital opportunities.
If you are looking for names and addresses of venture capitalists, start with the internet.
The names and addresses of venture capitalists are also available in a couple of annual directories:
The Western Association of Venture Capitalists publishes an annual directory. This organization includes most of the California venture capitalists based in Menlo Park, CA, which is the headquarters of an amazing percentage of the nation’s venture capital companies.
Pratt’s Guide to Venture Capital Sources is an annual directory available online or in print format.
2. Sort of venture capital: Angels and others
Venture capital is not the only source of investment for start-up businesses or small businesses. Many companies are financed by smaller investors in what is called “private placement.” For example, in some areas there are groups of potential investors who meet occasionally to hear proposals. There are also wealthy individuals who occasionally invest in new companies. In the lore of business start-ups, groups of investors are often referred to as “doctors and dentists,” and individual investors are often called “angels.” Many entrepreneurs turn to friends and family for investment.
