Category Archives: PCI DSS

CISOs struggling to prep for security audits

Calendars for security and compliance audits are largely unchanged despite COVID-19, yet the pandemic is straining teams as they work remotely, according to Shujinko. Moreover, CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes. Furthermore, the results show that migration to the cloud is dramatically increasing the scope and complexity of audit preparation, obsoleting … More

The post CISOs struggling to prep for security audits appeared first on Help Net Security.

NIST and PCI SSC Find Common Ground in Development of Software Frameworks

The National Institute of Standards and Technology (NIST) and the PCI Security Standards Council (PCI SSC) have recently announced complementary frameworks for secure software development. There are numerous mature, secure software lifecycle management methodologies and frameworks available that, when properly implemented and maintained, can produce secure software.

How to document PCI DSS-compliant policies and procedures

Technology can only do so much to protect an organisation from data breaches. That’s why Requirement 12 of the PCI DSS (Payment Card Industry Data Security Standard) instructs organisations to implement policies and procedures to help staff manage risks.

Employees introduce many risks into businesses that technology simply can’t prevent. Misconfigured databases, email attachments sent to the wrong person and records that are improperly disposed are common examples the ways staff compromise information.

These are the kinds of risks that a PCI DSS policy can help prevent.

What you should include in a PCI DSS policy

A PCI DSS policy is a collection of written procedures and guides that state how an organisation manages its CDE (cardholder data environment).

To achieve PCI compliance, your security policy must address:

  • Information security

This policy details the organisation’s security strategy regarding how to store, process or transmit cardholder information.

It provides a detailed outline of information security responsibilities for all staff, contractors, partners and third parties that access the CDE.

The document should also summarise your approach to the PCI DSS’s control objectives.

Specifically, you should address how you will build and maintain secure networks, protect cardholder’s information (with encryption playing a central role), maintain a vulnerability management programme, restrict access for unauthorised persons and monitor your networks.

  • Formal security awareness

Requirement 12.6 of the PCI DSS states that all employees with access to the CDE must receive training on how to manage their compliance requirements.

You should therefore set out a formal process that outlines your approach to staff awareness.

Training courses should explain what the PCI DSS is, why its requirements are necessary and how employees can meet their obligations. This should include things such as encryption, password management and how to process or transmit cardholder data.

The aim of these courses shouldn’t just be to impart knowledge but to reinforce good security habits.

When training is repeated often enough – we’d recommend annually or whenever you experience a security incident – employees will know intuitively what to do and how to avoid costly mistakes.

  • Incident response

Requirement 12.10 of the PCI DSS states that organisations must have an incident response plan, which they can enact in the event of a security breach.

Your plan should outline the key roles and responsibilities when it comes to detecting and responding to a data breach.

Although it might seem like locking the door after the horse has bolted, organisations that are able to spot an intrusion promptly and take action to rectify the situation have been proven to suffer much less damage – both financially and reputationally – compared to those who don’t have a plan.

A significant aspect of your incident response plan will cover your notification requirements. Depending on the nature of the breach, you might be required to inform law enforcement, third-party organisations and affected customers.

Fast-track your documentation process

Policies and procedures only work if they are regularly reviewed and updated to ensure they work as intended.

This can be time-consuming and challenging, so we’ve created our PCI DSS Documentation Toolkit to simplify the job.

This toolkit includes all the template documents you need to ensure complete coverage of your PCI DSS requirements.

Below is an example of one of the customisable templates in our Documentation Toolkit:Screenshot of one of our PCI DSS template documents

As with all templates in this toolkit, we’ve provided all the necessary information.

All you need do is fill in the sections that are relevant to your organisation.

The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.

The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.

It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.

Find out more

A version of this blog was originally published on 13 November 2017.

The post How to document PCI DSS-compliant policies and procedures appeared first on IT Governance UK Blog.

Cyber Security Roundup for April 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2020.

The UK went into lockdown in March due to the coronavirus pandemic, these are unprecedented and uncertain times. Unfortunately, cybercriminals are taking full advantage of this situation, both UK citizens and 
businesses have been hit with a wave of COVID-19 themed phishing emails, and scam social media and text messages (smishing). Which prompted warnings by the UK National Cyber Security Centre and UK Banks, and a crackdown by the UK Government.
Convincing COVID-19 Scam Text Message (Smishing)

I have not had the opportunity to analyse a copy of the above scam text message (smishing), but it looks like the weblink displayed is not as it appears. My guess is the link is not part of the domain, but the attacker has used an international domain name homograph attack, namely using foreign font characters to disguise the true address of a malicious website that is linked.

I was privileged to be on The Telegraph Coronavirus Podcast on 31st March, where I was asked about the security of video messaging apps, a transcript of what I advised is here. Further coronavirus cybersecurity advice was posted on my blog, on working from home securely and to provide awareness of coronavirus themed message scams.  It was also great to see the UK payment card contactless limit increased from £30 to £45 to help prevent coronavirus spread.

March threat intelligence reports shone a light to the scale of the cybercriminal shift towards exploiting COVID-19 crisis for financial gains. Check Point Global Threat Index reported a spike in the registration of coronavirus themed domains names, stating more than 50% of these new domains are likely to be malicious in nature. Proofpoint reports for more 80% of the threat landscape is using coronavirus themes in some way.  There has been a series of hacking attempts directly against the World Health Organisation (WHO), from DNS hijacking to spread a malicious COVID-19 app to a rather weird plot to spread malware through a dodgy anit-virus solution

Away from the deluge of coronavirus cybersecurity news and threats, Virgin Media were found to have left a database open, which held thousands of customer records exposed, and T-Mobile's email vendor was hacked, resulting in the breach of their customers and employees personal data.  

International hotel chain Marriot reported 5.2 million guest details were stolen after an unnamed app used by guests was hacked. According to Marriots online breach notification, stolen data included guest name, address, email address, phone number, loyalty account number and point balances, employer, gender, birthdays (day and month only), airline loyalty program information, and hotel preferences. It was only on 30th November 2018 Marriott disclosed a breach of 383 million guestsTony Pepper, CEO at Egress said “Marriott International admitted that it has suffered another data breach, affecting up to 5.2 million people. This follows the well-documented data breach highlighted in November 2018 where the records of approximately 339 million guests were exposed in a catastrophic cybersecurity incident. Having already received an intention to fine from the ICO to the tune of £99m for that, Marriott will be more than aware of its responsibility to ensure that the information it shares and stores is appropriately protected. Not only does this news raise further concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches. It will be interesting to see if further action is taken by the ICO”

Five billion records were found to be exposed by UK security company Elasticsearch.  Researchers also found an Amazon Web Services open MongoDB database of eight million European Union citizen retail sales records was left exposed, which included personal and financial information.  And Let’s Encrypt revoked over 3 million TLS certificates due to a bug which certification rechecking

March was another busy month for security updates, patch Tuesday saw Microsoft release fixes for 116 vulnerabilities and there was an out-of-band Microsoft fix for 'EternallDarkness' bug on 10th March, but a zero-day exploited vulnerability in Windows remained unpatched by the Seattle based software giants.  Adobe released a raft of security patches, as did Apple (over 30 patches), Google, Cisco, DrayTek, VMware, and Drupal.

Stay safe, safe home and watch for the scams.