PCI-DSS Version 1.2 - Changes Forthcoming
The PCI Security Standards Council has released a summary of changes and clarifications for version 1.2 of the PCI-DSS standard, which is scheduled for release on October 1, 2008. In an effort to combat the growing problem of card theft, the Payment Card Industry Data Security Standard has been established to ensure that through the use of imposed regulations, compromises of customer card data will not be easily possible. Virtually anyone wishing to handle or process customer card data is familiar with these regulations and probably equally aware of the costs associated with achieving and maintaining PCI compliance. For some people, security is difficult to invest in. You spend a lot of money on something, and you may feel like you don't receive any tangible or perceptible benefit afterwards. You may have even been forced to change some aspects of your business in order to adopt processes that feel less efficient. However, several retailers are now facing serious repercussions from the Federal Trade Commission, as well as bills as high as $16 million to deal with a recent widely publicized security breach. This is roughly the equivalent of forgoing a $50 oil change and later having your vehicle towed, followed by a bill for $5,000 to swap out your seized engine. Perhaps more importantly, you may have failed to uphold the trust that your customers placed in you to safeguard their personal information. This is difficult to put a price on, but most economists will likely tell you that it is very high.
The US Department of Justice recently announced the indictment of 11 individuals, alleging large scale credit card theft from at least eight major US retailers. One individual named in the indictment has a bit of history in the carding scene, having previously been arrested in connection with Operation Firewall, which brought down Shadowcrew in 2003. In fact, this individual was acting as a key informant in the case, working with law enforcement to set up a VPN for the group that would log all of their activity. Presumably they reached an understanding whereby he would cease his criminal activities, but law enforcement now knows that he instead opted to pursue a slightly different agenda. Now, they would like him and his associate to return the $2 million, Miami condo, 2006 BMW, various laptops, plasma TVs, iPods, and an assortment of other consumer electronics devices that they allegedly purchased since the original encounter, using means that law enforcement feels were less than legitimate. The 41 million cardholders that unknowingly contributed to this comfortable-sounding lifestyle probably share their sentiments, too. I personally had a credit card fraudulently copied and used during that time frame. For all I know, I might have made one of those BMW payments. But more disturbing is the fact that this individual's profits are only the tip of the iceberg. Quite frankly though, if I knew which retailer it was that failed to protect my card, I don't think they would be likely to get my future business.
This particular attack involved wardriving in front of the establishment to compromise computer systems within a given retailer's premises, and installing a sniffer to capture the "track 2" data off of the credit and debit cards being used to make purchases. Track 2 data, which is what carders refer to as "dumps," resides on the magnetic stripe of credit and debit cards and contains account numbers and expiration dates. This data is then written to other cards using inexpensive magstripe writers, and used to make purchases. One might reasonably expect that the systems performing such transactions are not accessible from the parking lot via unsecured wireless network connections. But, in the case of at least some of the victimized retailers, that was expecting too much. Others victims chose encryption algorithms with poor security, which required only a little more patience on the attacker's part.
The PCI Security Standards Council has released a summary of changes and clarifications for version 1.2 of the PCI-DSS standard, scheduled for release on October 1, 2008. Some of the updates deal specifically with improving wireless security in areas that were exploited by these attackers. The key changes are as follows:
-Removal of WEP as an acceptable wireless encryption algorithm
-Emphasized requirements for disk encryption on local user account databases
-Wireless must use industry best practices and strong encryption, such as 802.11x
-Emphasis that anti-virus software requirement applies to all operating systems
-Anti-virus solution used must provide coverage against all types of malicious software
-More rigorous testing of all public-facing web applications
-Emphasis that requirement to secure media applies to electronic and paper media containing cardholder data
-Testing procedures must verify that passwords are unreadable in storage and transmission
-Additional guidance on wireless analyzers and wireless intrusion detection (IDS) or intrusion prevention systems (IPS)
-An Approved Scanning Vendor (ASV) must be used for quarterly external vulnerability scans
For more information on PCI DSS Standards, you can visit:
The Symantec Security Awareness Program also offers a PCI Data Security Standard course. More information can be found at:
If your organization would like information on obtaining Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV) services from Symantec, please contact firstname.lastname@example.org.