Community Meetings are hosted by the PCI Security Standards Council in locations around the world. These regional meetings welcome Council executives alongside industry leaders to cover standards updates, security strategies and the latest technology advancements. Register today to attend the Asia-Pacific Community Meeting to hear payment industry insights from that region.
In this post, we get insights from Steve Marshall, Chief Operating Officer, Risk-X. Here he discusses his presentation from the Middle East and Africa Forum in Capetown South Africa.
Your presentation discusses payment security lessons that Europe learned the hard way. Can you share some of these key lessons?
Steve Marshall: What I have learned over the past ten years of consulting in the payment security industry is twofold; firstly reducing the scope to the smallest possible footprint and secondly reducing the required controls to the smallest number possible. Why are these the most important lessons? Well, reducing the scope and securing the data as close to the inception point as possible reduces the risk of compromise to the smallest possible surface area. Additionally, reducing the number of controls as far as possible means that merchants are more likely to implement them properly, maintain them and then sustain them going forwards. This leads to less control failure, less points of compromise in the environment and ultimately allows merchants to do what they do best – sell goods and services to make money! In order to achieve this the best merchants:
- Use PCI DSS compliant, secure and reputable service providers;
- Use outsourced PCI P2PE certified face-to-face payment solutions for both fixed and mobile POS environments;
- Use secure voice solutions for the security of telephone order payments;
- Use fully outsourced hosted payment pages or iFrame implementations for e-commerce transactions;
- Use tokenisation and transaction numbers to allow reconciliation, refunds, reversals and chargebacks without the need for the PAN;
- Tidy up all of their pre-loved (legacy) systems and data.
This is my opinion based on my experience working in the European market, having worked for over 180 companies of all sizes, and some of the largest in the region. There are always other ways to achieve the same end result, but my experience as a core PFI leads me to conclude that reducing the risk and protecting against breach/fraud, whilst maximising payment acceptance, surely has to be the ultimate end goal.
Can you talk about your role as a PCI Forensic Investigator (PFI)?
Steve Marshall: Every time I say that I am a payment forensic investigator everyone instantly thinks about CSI and lots of cool, high tech equipment in glamourous locations where evidence is always available and the criminal is caught, prosecuted and goes to jail. This is a usually a long way from the real world of payment forensics, which is largely unglamorous and can be considerably time consuming and laborious. I often describe this as about 95% perspiration and 5% inspiration. We have to first find the evidence and then piece back together the sequence of events that have occurred and, in a lot of cases, key data is often missing. This is not only the result of attackers becoming more adept at covering their tracks, but due to the basic security controls not being in place and, a lack of independent logs that can be relied upon. This leads to a high level of frustration, as you know what has happened, but you just do not have the evidence to prove it in a court of law.
I have to take my hat off to all of the people that are far cleverer than I am at the highly specialised recovery of data from a vast array of equipment. My work generally centres on the larger more complex cases and considers the psychology of the situation/criminal, as well as piecing together complex strings of what seems to be disparate evidence. It is great fun playing cat and mouse with the attacker while trying to discover the next move that they made, and the overall origin of the attack. However, at the end of the day, there are victims that may have been defrauded and this could be a relation of yours or mine. It is therefore important to keep this in mind and work hard to find the evidence to help law enforcement, customers and the industry improve, so that we stay one step ahead.
It should always be remembered that good forensic investigation requires multi-disciplinary skilled teams, as it is not all about bits and bytes – although there is a good degree of that! The work that we conduct can be as much about proving innocence as it is about proving guilt, and this is often a forgotten lesson.
As a PFI, do you see breaches that result from security basics not being followed (for example, poor password practices, unpatched/outdated software and remote access vulnerabilities)? What can be done to prevent organizations from failing to uphold basic security practices?
Steve Marshall: In around 98% of all the cases that we see, the attacks entry exploit was often very unsophisticated and could have been easily prevented. For example, people leave their content management system administrator panel open to the internet, which an attacker can easily brute force, re-use stolen credentials on, or use an exploit to cause bypass as the system is unpatched and has no anti-malware services. Or we see a SQL injection that allows the uploading of a Webshell to be able to take control of the system. What has become more sophisticated is the collection of data on these systems and how this is transferred back to the attacker, leaving minimal data evidence behind of what has been compromised.
It is relatively easy for companies to protect themselves against simple compromises and there are great resources that can help with this process - the PCI DSS itself (even if all requirements do not apply, based on your implementation), the PCI SSC Best Practices for Securing E-commerce guidance document and the card schemes own documents on processing e-commerce payments. In the cases that we see most often, the following areas would have prevented the breach or significantly helped the investigation that followed:
- Two Factor Authentication for the Content Management Systems (CMS) administrator panels on the internet, although we still recommend that these are hidden using appropriate firewall rules;
- Use technology that you know how to use and the IT teams can support and secure;
- Use benchmarks (PCI DSS, CIS, SANS, NIST and vendor resources are all available) and secure devices using good working practices;
- Patch everything – all critical and security patches should be applied as soon as possible once tested;
- Use anti-malware solutions, even on Linux (which we know is controversial) – however, how do we find the Webshells that the criminals used, we use anti-virus software to find them!
- Log relevant data (see PCI DSS 10.2 and 10.3), secure this away from public facing systems and ensure that you keep a year’s worth of logs – we usually really struggle in this area as investigators;
- Assess vulnerabilities regularly and close the gaps as quickly as possible;
- Assess/Audit your third parties, understand their third parties so that you know where your data is and what risks you are exposed to, and where appropriate use PCI DSS compliant service providers.
There is nothing that is revolutionary about the information that is shown above, but it is surprising how many people either don’t follow the basics or simply just get them wrong! Companies in the modern world suffer from change fatigue, conflicting priorities and the need to react quickly to beat their competitors; all of which can be at odds with the implementation of security controls. However, security should be an enabler and needs to be aligned with the business requirements and drivers and not be at odds with them. Therefore, lightweight, flexible frameworks, using sensible solutions that enable functionality rather than hindering it seems to be the most appropriate. This comes down to the advice you receive, the skill of the consultants that you employ, the maturity of the management team as well as people implementing and, some good old-fashioned education until a collaborative working solution is agreed that satisfies everyone’s needs.
As a seasoned QSA, what are your thoughts on the Council’s efforts to help attract cybersecurity talent to the payment card industry with the recent introduction of the Associate QSA program?
Steve Marshall: I think that this is a fantastic idea! There is a story almost every day in the press or on social media about the lack of cyber security skills that are available to businesses within both local and global markets. This, coupled with The World Economic Forum’s – Global Risks Report 2018 (13th Edition) listing cyberattacks and massive data fraud / theft in the top five global risks by perceived likelihood, we surely have the perfect storm in relation to lack of skill and expertise coupled with an increase in the likelihood that attacks, fraud and theft will occur. Gone are the days where cyberattacks are conducted to demonstrate skill, for fun, defacement or other reasons that are not financially motivated. Therefore, the payment card industry is an attractive target due to the ‘arm’s length’ nature of a lot of the fraud committed, it being seen as a victimless crime, the perception that the card schemes will cover the costs and international law enforcement having jurisdictional issues. Collectively as an industry we therefore need to do more to stem this tide, and tip the balance back in our favour.
The birth of the Associate QSA program is a great first step and lays the ground work for people to be able to build a career as a consultant in the payments industry, thus ensuring a continued pool of highly skilled resources. I lend my support to this and highly recommend that the PCI SSC extend these programs further, of which I hope to play a more active role in its continued development.
What were the key takeaways you hope the audience at the Middle East and Africa conference came away with from your presentation?
Steve Marshall: There were two key takeaways, one for merchants and one for service providers.
The first is for merchants. The key takeaway is, that you are a target for fraud whilst you do not devalue payment card data by securing it as close to the point of inception as possible. What I mean by this is that without the use of Point-to-Point Encryption (P2PE) for face-face-transactions, secure voice solutions and properly implemented hosted payment pages for e-commerce transactions, you are an attractive target for criminals, as you have data within the environment that can be intercepted. So descope as aggressively as possible and outsource to reputable, compliant and secure service providers/payment switches.
The second is for service providers. The key takeaway is, there is a real business opportunity within the market to develop good, robust, secure and compliant services to address the needs of the merchant community. However, ensure that you follow PCI DSS and have robust processes, procedures and controls in place, so that you do not become the next victim.
Don’t forget that these takeaways apply equally to all other regions as well!
Want to hear more insights from regional and global payment security experts? Attend the next PCI SSC Community meeting on 23-24 May in Tokyo, Japan: