Connect with us

Tech

PCI DSS 3.2 – Important 31 January 2018 Deadline & Clarifications

security

Overview

In April 2016, Version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) was released. This new version of the standard contains a number of new requirements which come into full force as of 1 February 2018. This document provides an overview of what is new in Version 3.2, separated by:

  • Clarification of requirements that came into force for all Version 3.2 reports.
  • New requirements that come into force for all parties (merchants and service providers) as of 1 February 2018.
  • New requirements that come into force for service providers only as of 1 February 2018.
  • Sunset date for SSL and Early TLS.

This document summarises what Confide has seen from assessments undertaken since Version 3.2 was released and the information that has been provided by the PCI Security Standards Council.

Clarification (Applicable for all 3.2 reports)

1.1.6.a: Identify the firewall and router configuration standards document(s) reviewed to verify the document(s) contain a list of all services protocols, and ports necessary, including a business justification and approval for each.

These approvals should be granted by someone other than a person who is responsible for managing the configuration. For example, this might include a Security Officer or other role who is responsible for overseeing the PCI DSS process internally, or by someone outside of the standard team of people who are responsible for performing the day to day management of network devices.

6.5: Address common coding vulnerabilities in software-development processes as follows:

  • Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
  • Develop applications based on secure coding guidelines.

The requirement for developer training is not new. However, in Version 3.2, it was clarified that this training must take place for all developers at least annually. We also recommend that testers attend this training as well to ensure that they are adequately equipped to test for basic security vulnerabilities.

11.3.4.c: Verify that the [segmentation penetration test] was performed by a qualified internal resource or qualified external third party, and if applicable, the organisational independence of the tester exists (not required to be a QSA or ASV).

The requirement for segmentation testing is not new. However, in Version 3.2, a clarification was made that brings the requirement for how segmentation penetration testing into line with the requirements for internal and external penetration testing. The person performing the segmentation testing must be either a qualified internal resource or external third party, and there must be sufficient organisational independence (e.g. the penetration testing should not be done by individuals who are responsible for the day to day management of the systems or who report directly to staff who are responsible for these teams).

12.3.3: Verify that the usage policies define:

  • A list of all critical devices, and
  • A list of personnel authorised to use the devices

The wording of this requirement has been adjusted to ensure that it is clear that the usage policies must include both a list of the critical devices in the environment and a list of the personnel authorised to use the devices. This needs to be documented and cannot be considered “self-documenting” as part of a system such as Active Directory or LDAP.

Additional Requirements for All Parties (as of 1 February 2018)

There are several new requirements that come into force for both merchants and service providers.

6.4.6: Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.

To ensure that this requirement is met, Confide recommends that a clear definition of what constitutes a “significant change” be defined within the processes so that it is possible for staff to identify when this level of review is required. While the PCI Council does not provide a definitive definition of what constitutes a significant change, guidance from Requirement 11.2 suggests this includes (but is not limited to):

  • New system component installations
  • Changes in network topology
  • Firewall rule modifications
  • Product upgrades
  • Operating system upgrades
  • Sub-networks being added to the environment
  • New web servers

Once significant changes have been defined, we recommend developing a set of templates for reviewing the relevant PCI DSS requirements to ensure that both (1) the relevant requirements have been put in place prior to the system going live, and (2) sufficient testing has been done to meet the requirements for PCI DSS (e.g. penetration testing, vulnerability scanning, etc.) Incorporating this into the change control process is one option.

8.3.1: Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

The PCI Security Standards Council recently published a guidance document on what constitutes multi-factor authentication (see: https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf.

In this document they provide a number of examples of what does and does not constitute multi-factor authentication and where multi-factor can be placed in the environment. We also recommend reviewing the PCI Security Standards Council’s guidance on Segmentation and Scoping (see:

https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf as the way that multi-factor is implemented may be influenced by how you have decided to segment the environment.

Additional Service Provider Requirements (as of 1 February 2018)

These new requirements are currently only applicable to service providers. As defined by the PCI DSS, a service provider is any business that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another organisation, or that otherwise impacts the security of cardholder data.

3.5.1: Maintain a documented description of the cryptographic architecture that includes:

  • Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
  • Description of the key usage for each key
  • Inventory of any HSMs and other SCDs used for key management

While policies and procedures for key management and the management of encryption devices has long been required, this requirement set out a new level of detail that must be documented around how cardholder data is protected. In part, this also helps the organisation to keep up with evolving threats to the architecture, and to be able to detect lost or missing keys or associated devices.

10.8: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:

  • Firewalls
  • IDS/IPS
  • FIM
  • Anti-virus
  • Physical access controls
  • Logical access controls
  • Audit logging mechanisms
  • Segmentation controls (if used)

This requirement is aimed at addressing the increased threat of intrusions going undetected for an extended amount of time. In order to ensure that there is a timely process for detecting failures in place, this requires a proactive process to be in place. There is not yet any clear guidance on what constitutes a timely manner. However, automated tools are likely to make this task significantly easier.

10.8.1: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:

  • Restoring security functions
  • Identifying and documenting the duration (date and time start to end) of the security failure
  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
  • Identifying and addressing any security issues that arose during the failure
  • Performing a risk assessment to determine whether further actions are required as a result of the security failure
  • Implementing controls to prevent cause of failure from reoccurring
  • Resuming monitoring of security controls.

While this requirement relates directly to the incidents identified in Requirement 10.8, this requirement relates to the incident management procedures and extends the procedures in the event that a critical security control fails. Due to the newness of this requirement and the extensive reporting requirements that go along with it, we recommend that this process is tested as part of the process development to ensure that the processes can be embedded within the incident processes for the organisation.

11.3.4.1: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

While this is a new requirement, it extends the exiting requirement for organisations that use segmentation to test the effectiveness of that segmentation. This new requirement increases the frequency with which service providers must perform this testing. While there is no requirement for the testing to be done by an external, third party, any internal party must be both (1) able to demonstrate that they are appropriately qualified to perform the testing, and (2) that they are organisationally independent.

12.4.1: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:

  • Overall accountability for maintaining PCI DSS compliance
  • Defining a charter for a PCI DSS compliance program and communication to executive management.

The remaining new requirements are focused on the overarching governance processes to help ensure that PCI DSS is not treated as a point-in-time event, but instead is integrated into the BAU processes. As part of that, there needs to be a commitment at the senior level to ensure that PCI DSS is visible at the executive level.

12.11: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:

  • Daily log reviews
  • Firewall rule-set reviews
  • Applying configuration standards to new systems
  • Responding to security alerts
  • Change management processes

This requirement and Requirement 12.11.1 help to ensure that processes are regularly reviewed to ensure that they are being followed. While this requirement is not meant to repeat the testing from the PCI DSS requirements, understanding the underlying intention of each of these requirements should guide how the review process is carried out. This also helps to ensure that failures in processes can be identified early, so as to minimise the risk to PCI DSS compliance.

12.11.1: Maintain documentation of quarterly review processes to include:

  • Documenting results of the reviews
  • Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program.

This requirement ties together the review documentation from Requirement 12.11 and the governance processes from Requirement 12.4, and helps to ensure that there is a clear visibility into how processes that affect PCI DSS compliance are visible to senior management.

TLS Requirements (1 July 2018)

After 30 June 2016, all entities must have stopped use of SSL/early TLS as a security control, and only use secure versions of the protocol.

Prior to 30 June 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Appendix 2 covers the requirements for SSL / Early TLS.

Given the impending deadline for disabling SSL and Early TLS, we recommend that reviewing the current need for these protocols is done on a more frequent basis to determine if it is possible to disable them prior to the deadline.

Confide is New Zealand’s Premier Security Assessment Company for the Payment Card Industry.

BusinessArticles is the popular online Hub for quality business articles. We publish unique articles and share them with our social followers.

Tech

5 Benefits of Custom Business Software Applications

people office

As companies continue to invest in their technology and processes, it is becoming apparent, one size does not fit all. The same goes for investing in business applications through out of the box software packages, software consultancies or application frameworks. While business owners may choose generic software applications, there are many benefits to developing custom programs. In this post, we will cover how those custom applications can drive growth for your business.

Flexible Applications

Surely, custom applications have the maximum amount of flexibility. You can program everything just the way that you work. With a completely custom business solution, you have the ability to create any process, workflow or application that your company needs. Moreover, an off the shelf application will have a hard time meeting the level of flexibility of applications design specifically for your processes.

Improved Security

Especially if you have a good team, a custom program will have higher levels of security. Since custom applications are unique to your organization, there is a much lower chance of hackers learning the ins and outs of your software. Compared to mainstream business solutions that cyber criminals can test against, the unique development of your software is less likely to get targeted. Absolutely, a security conscious business that wants to prevent hackers could benefit from custom built applications.

Direct Integration

Moreover, custom business systems directly integrate with your existing processes. If you already have other software running for various company departments, it’s easy to keep them. Your custom applications can pull and push data as needed to create the perfect solution for your organizational needs. This makes the integration process easier, giving your company time and resources to grow.

Web Based Management

In addition to integration benefits, custom built systems allow you to build fully web based management tools. According to Unim – Business management system, custom web applications are replacing bloated project management and CRM tools. Best of all, they are accessible to your team members, partners or clients from any web browser. With a custom web-based application, you have full control over what is accessible online.

Custom Is Scalable

Over time, the needs of your business will change. A custom software will support your business growth rather than limit it. Compared to “one-size fits all” software, the capacity to change, automate and scale your software is critical to organizational growth. It will meet the needs of your current business processes while adapting or evolving to the needs of the future as well.

Growth should be a major priority for your business. If so, then integrate custom business systems into your future plans. The flexibility of the technology will allow your employees to work smarter, not harder. Your systems will be more secure while integrating with existing processes. On top of that, custom business apps offer the option for web based access or limitations. Finally, your custom business system will help your business grow now and then adapt to the new needs in the future. Positively, a custom business application can give your company the added resources to accelerate growth.

Continue Reading

Finance

Blockchain & Cryptocurrencies What’s All the Fuss About

cryto currency explained

“Blockchain” and “cryptocurrency” are among some of the most-searched terms in Google recently thanks to news about BitCoin’s price surging. Most people don’t have a clue about what these terms are (hence the searches) but they do know that cryptocurrencies are a form of investment like forex. Unfortunately, while the principle is similar because cryptocurrencies are a traded form of currency, the way BitCoin works is completely different to any kind of currency pair that you can find.

To help you out, we’re going to talk about blockchains and cryptocurrencies to help you achieve a better understanding of what it’s all about.

Defining Blockchains and Cryptocurrencies

Let’s start with the basics and explain what these two terms mean.

  • Blockchains are essentially digital edgers where transactions in cryptocurrencies are recorded. It’s a form of technology that enables cryptocurrencies to exist in the first place. Think of it as a gigantic database where every single transaction is kept in chronological order. You don’t need to understand how it works if you’re interested in BitCoin or another cryptocurrency, but it’s nice to get a general overview of what it implies.
  • Cryptocurrencies are digital currencies that utilize encryption techniques to safely regulate their value and also validate transfers. These cryptocurrencies are independent of banks and they’re generated digitally. Two good examples of popular cryptocurrencies are BitCoin and Ethereum. There are many different advantages to both the currencies and their values fluctuate drastically over the years. Ethereum, for instance, was worth $10 per unit in 2017. Currently, they are quoted at around $800. Ripple is another popular cryptocurrency that has recently grown in popularity.

Now that you have a basic understanding of blockchains and cryptocurrencies, let’s see what the fuss is all about and why it’s making waves in the news.

Advantages of Cryptocurrencies

So why use cryptocurrencies over regular currency? Here are just a couple of the most popular advantages:

  • Lower transaction fees. Unlike other currencies, there are lower fees involved when making payments with cryptocurrencies.
  • Immediate transactions. Transactions are immediately resolved when using cryptocurrencies unless a third-party is involved.
  • No risk of fraud. Cryptocurrencies are completely digital and, unlike paper money, cannot be counterfeited.
  • No risk of identity theft. Since your personal information isn’t handed out when making payments with cryptocurrencies (unlike credit and debit cards) you’re not at risk of identity theft.
  • Decentralized currencies. Cryptocurrencies are decentralized which means that there isn’t a single source or authority that governs it.
  • Universal use. Virtually every country can adopt cryptocurrencies because they are not bound by various rates like exchange rates. They can be universally used as long as a cash system supports it.

Industries That Use Cryptocurrencies

As you might expect, cryptocurrencies are slowly becoming more mainstream and being used in all kinds of different industries. One of the first industries to adopt the use of cryptocurrency is the technology industry. Early uses of cryptocurrencies involved being able to purchase goods on the internet or trade digital items and pay for services. There are now many uses for cryptocurrency on the web, such as being able to make donations with it or accept crowdfunding payment.

Nowadays, the use of cryptocurrency is widespread and marketers are all over it, using social media, blogs, lead generation pages to spread the word. So which industries are using it right now? Some car dealerships offer vehicles for BitCoins and there are even some realtors that accept BitCoin payments. With the use of BitCoin expanding so rapidly, don’t be surprised to see your local coffee shop offering goods for cryptocurrency in a few years or even months.

Here’s some information on two of the most popular cryptocurrencies: Bitcoin and Etherum and why you should take notice of Ripple…

Bitcoin

Bitcoin is the world’s first and top cryptocurrency that had gained popularity and a huge increase in value. It was created in 2009 by a person under the alias Satoshi Nakamoto. Its main feature is that transactions can be made without the middle man – meaning that no banks are involved!

You can use Bitcoin to book hotels, pay for Xbox games, and buy furniture. But most of its hype has recently come from people trading it. As of now, its price is $8207.77 whose price used to be past the $10,000 mark in 2017.

Another reason why Bitcoin is amazing is because it can be mined. A person (company or group) can mine Bitcoin through record-keeping and advanced math. This is how it works, when someone sends Bitcoin to someone else, the network records it and then records the other transactions and places them on a “block.”

Miners use powerful hardware and specialized software to convert the blocks into code sequences known as “hash.” Once a new has is made, the miners who found it are awarded in Bitcoin. As of now, miners can obtain 12.5 Bitcoins which worth around $225,000 at this time.

Bitcoin is ranked first because it started new concepts such as “decentralization” and “peer to peer trading.” We would see other cryptocurrencies, such as Ethereum use this concept to help users make apps and trade their currencies at a rate that’s faster than Bitcoin.

Speaking of Ethereum…

Ethereum

Ranked second on our list is Ethereum. Like Bitcoin, Ethereum is running on a public blockchain network. While Bitcoin and Ethereum are completely different in technology, their largest distinction is their difference in capability and purpose.

Ethereum’s blockchain is used to run program code for any decentralized application. Instead of miners obtaining Bitcoin, they receive Ether, the main currency that fuels the network.

Ethereum also has smart contracts, which acts like a self-ran computer program that automatically execute once specific guidelines are met. Since they are running on the blockchain, the code can run without downtime, third party interference, and without censorship.

What makes Ethereum a top cryptocurrency is its ability to let startups create decentralized apps. They can receive funding from other Ether owners to help power their app without the long process of seeking a venture capitalist to invest in them. Ethereum is now priced at $857.70, which we can only expect it to grow due to the development apps on its platform.

Ripple

Ripple is the third top cryptocurrency on our list. Like other cryptos, Ripple has a distributed ledger network that allows users to help each other validate transactions. This makes it more efficient and faster than traditional centralized authorities.

What stands Ripple apart is its transaction speed. On average, Bitcoin takes about 10 minutes to complete a transaction. Ripple can accomplish this task in under 60 seconds. This makes Ripple more appealing to a mass market, who needs a faster network to help them pay for goods.

Ripple is currently developed by Ripple Labs. As of now, they have of 100 billion XRP available, as its unable to be mined. Ripple’s current price is now $.73, making it the cheapest option on this list.

While other cryptos are used for separating financial transactions from centralized banking, Ripple seems to do the opposite.

Closing Thoughts

To conclude, we believe that each of these cryptocurrencies provides a lot of value into today’s current market. Not only are they bringing in new financial options for users, but their combined technology helps make transactions safer and faster. Ultimately, it will be interesting to see how these cryptocurrencies will act as blockchain technology continues to evolve.

Disclaimer: This post was made to educate users on cryptocurrency. Don’t take it as investment advice.

Sources:
https://www.digitaltrends.com/computing/what-is-ripple/
https://www.coindesk.com/information/what-is-ethereum/
http://money.cnn.com/infographic/technology/what-is-bitcoin/
https://www.cnet.com/how-to/what-is-bitcoin/
https://www.mirror.co.uk/tech/what-is-bitcoin-currency-crash-10409961

Continue Reading

Tech

Proactive vs. Reactive Live Chat: What are the differences?

live chat

Why Is Live Chat so Important?

Live chat is an important addition to any company website. It makes things easier for everyone. Without any doubt, live chat benefits both the business and its clients. For many online service providers live chat is an absolute necessity. For others it isn’t, but it still can be a great vehicle toward a successful online presence and increased trust.

User statistics clearly show that live chat increases the credibility of a company, helps build better connection with the clients, provides back and forth interaction with the users. In turn, this feedback helps keep the services relevant and aligned with the customers’ needs and helps resolve any potential issues in a timely manner. Lastly, the modern live chat applications of today provide an invaluable insight in the ways people interact with a web page and about their points of interest.

Compared to email or phone support, live chat brings much greater benefits.

The Differences Between Proactive and Reactive Live Chat

One of the things unique to live chat is the fact that it can be offered proactively to the people visiting your web page. Neither email, nor phone are suitable for such service.

These differences between proactive and reactive chat are significant and should be checked carefully. They can be summed up in a few categories. To find out which offers better customer experience, greater satisfaction and potential for conversion, a statistical analysis must be completed.

First of all, reactive live chat is there when the customers ask for it. Proactive, on the other hand, occurs when the communication is initiated by the chat operator, who offers assistance before the visitor has requested help.

When it comes to speed, things are a bit blurry. Reactive is fast, this much is undeniable; on average, a chat request is addressed within 23 seconds. It is infinitely faster than email and considerably faster than phone, in most cases.

Then again, how do you measure the speed of a proactive chat?.

Reactive chat is good for the customers. They usually remain happy, with an engagement rate around 7.8%.

But things get even better for the proactive chat. The engagement rate is only 2%, but customers approached proactively are 6.3 times more likely to make a purchase than those left to their own devices.

Sounds amazing, does it not?

But there is more. If you use proactive chat together with a reactive chat service, the results will be magnificent. The number of satisfied customers and volume of purchases can increase anywhere from 40% to 100%.

All of this is possible, thanks to a few simple implementations, as the best live chat applications can be put to a good use within hours.

It is important to realize just how valuable live chat can be. It is vital to understand fully how it works and what the different types are.

Once you obtain that knowledge, you can use it and achieve great results for yourself and your business.

No matter what your website looks like, live chat has the potential to increase greatly the customers’ satisfaction and engagement. Check out this awesome live chat infographic for more information.

Continue Reading

Trending