Being a responsible corporate citizen and member of the local community is at the core of Control Gap’s daily operations. We believe in making work a rewarding experience by incorporating fun team events within our corporate culture, and supporting cause-related and local organizations.

Blog

WP_Query Object ( [query] => Array ( [post_type] => post [post_status] => publish [cat] => 14, 134, 1 [orderby] => date [order] => desc [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 ) [query_vars] => Array ( [post_type] => post [post_status] => publish [cat] => 14 [orderby] => date [order] => DESC [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [static] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => charity [tag] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [update_post_term_cache] => 1 [suppress_filters] => [cache_results] => 1 [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => [comments_per_page] => 50 [no_found_rows] => ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( [0] => Array ( [taxonomy] => category [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id [operator] => IN [include_children] => 1 ) ) [relation] => AND [table_aliases:protected] => Array ( [0] => wpcm_term_relationships ) [queried_terms] => Array ( [category] => Array ( [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id ) ) [primary_table] => wpcm_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( ) [relation] => [meta_table] => [meta_id_column] => [primary_table] => [primary_id_column] => [table_aliases:protected] => Array ( ) [clauses:protected] => Array ( ) [has_or_relation:protected] => ) [date_query] => [request] => SELECT SQL_CALC_FOUND_ROWS wpcm_posts.ID FROM wpcm_posts LEFT JOIN wpcm_term_relationships ON (wpcm_posts.ID = wpcm_term_relationships.object_id) WHERE 1=1 AND ( wpcm_term_relationships.term_taxonomy_id IN (1,14,134) ) AND wpcm_posts.post_type = 'post' AND ((wpcm_posts.post_status = 'publish')) GROUP BY wpcm_posts.ID ORDER BY wpcm_posts.menu_order, wpcm_posts.post_date DESC LIMIT 0, 3 [posts] => Array ( [0] => WP_Post Object ( [ID] => 2048 [post_author] => 2 [post_date] => 2019-07-18 18:16:47 [post_date_gmt] => 2019-07-18 18:16:47 [post_content] =>

As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do to pass PCI?”

In almost all initial engagements as QSAs, PA-QSAs, and P2PE QSAs, one common question that we are asked is “What’s the minimum I need to do for PCI?”. The answer to this question can be frustrating for both the QSA and the client, because the answer is neither simple nor straight forward.

PCI DSS is a security framework which has a focus on an organization’s credit card processing operations. The requirements and scope are dictated by where an organization stores, processes and transmits credit cards, however it also includes the secondary systems and third parties that connect to, or may impact the security of, the environment where credit cards are used. It does not define all security controls an organization should have in place. Rather is looks at specific security controls and procedures to ensure that credit cards are handled in a secure manner.

As organizations become more aware of security and the fundamental role it plays throughout the enterprise, a new level of maturity begins to ensure that security processes, technologies and policies become engrained in the DNA of the organization. What many organizations do not realize is that once you have achieved PCI DSS compliance, invariably the enterprise will follow. Since organizational policies, standards and operational processes are modified to align to PCI DSS, the downstream effect is that all organizational systems, applications, business and IT operational processes are also reviewed and transformed.

The conversation then moves from “What’s the minimum for PCI?” to “Why are we not doing this for everything?” Which is the right direction of maturity.

An example I can share is an organization which stood up 2 environments for remote access.

  • The first environment was managed according to the requirements and processes that security required which also aligned to PCI DSS. This environment was solely used as the remote jump point into the cardholder data environment.
  • The second environment was initially created as identical to the first remote access environment; however, it was not bound by the same security “rules” as the first environment and was used as the remote jump point to access all non-cardholder data environment systems.

Long story short, within 6 months, the first environment was operational and had little to no functional problems. It was properly maintained with the correct change control, access management, no-repudiation and rigour that the security team wanted to implement within the organization. The second environment had issues with incorrect versions of software, additional/unapproved tools and software installed, and little to no tracking of activities that occurred within the environment, the system had become unstable and non-functional. It was decided to rebuild the environment from scratch and apply the same level of security rigour as the first environment. This example demonstrates how security controls can help an organization to reduce operational costs when adhered to.

Organizations need to spend less effort making PCI DSS compliance a project, and take the approach to modify, enhance or transform their current security processes and strategies to embrace any security framework that is required within their industry, whether it be PCI DSS, ISO 27001, PIPDEA, HIPA, GDPR, NIST or ITIL. The most mature organizations understand that security operations have a seat at the table help shape the direction and focus of the organization. The journey to compliance may be longer, but the effort pays dividends in the end. It has been our experience that organizations that embed security and compliance into their business as usual processes are more resilient to accepting changes in the business, more in tune with risks and threats to their organization, and better prepared to respond to their customers concerns.

Build a Mature Organization, Securely.

Learn more

[post_title] => What's the minimum I need to do for PCI? [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => whats-the-minimum-i-need-to-do-for-pci [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2019-07-18 18:16:49 [post_modified_gmt] => 2019-07-18 18:16:49 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=2048 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 2042 [post_author] => 2 [post_date] => 2019-06-19 02:17:19 [post_date_gmt] => 2019-06-19 02:17:19 [post_content] =>

It is amazing to see how many organizations take things for granted in their environment. In the video below, you can see a skimmer device installed in a retail location. The attendant was distracted for less than 20 seconds and the card skimming device was in place in 5 seconds. No special tools or techniques were required. The device is mounted to a stand which should, for all intents and purposes, be secure from theft or direct tampering but not an overlay.

Video from Inside Edition: https://youtu.be/5b1axnNK-wI

Sometimes the simplest processes like inspecting a device before use, can go a long way to ensuring thieves do not compromise your environment. Without a proper inspection procedure, this device may be in place for months before anyone were to notice.

PCI DSS Requirement 9.9 requires anyone with a POI device such as a pin pad to ensure that they have appropriate procedures to inspect devices to help detect tampering. This should apply to all devices whether or not it is a traditional counter-top device or a mobile device.

In your environment, how many times is an employee distracted and may leave their register or POI device unattended? Would they notice the change in the POI device? And lastly, have you ever considered testing staff in your retail locations to see how long it would take to notice?

Originally article: https://www.linkedin.com/pulse/why-poi-tamper-inspections-so-important-robert-spivak

[post_title] => Why POI Tamper Inspections are so Important [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => why-poi-tamper-inspections-are-so-important [to_ping] => [pinged] => [post_modified] => 2019-06-19 10:59:04 [post_modified_gmt] => 2019-06-19 10:59:04 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=2042 [menu_order] => 19 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1994 [post_author] => 2 [post_date] => 2019-04-09 14:30:00 [post_date_gmt] => 2019-04-09 14:30:00 [post_content] =>

NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple DES by the end of 2023. Afterwards it will only be recommended for legacy use which means decryption only.

Triple DES (aka TDEA/TDES) is used to protect Web Sites, Virtual Private Networks, remote sessions, e-commerce transactions, and more. TDES is embedded in the hardware of commercial and consumer products including network gear like routers, firewalls, VPNs, and load balancers; and computers like servers, PCs, and laptops. TDES hardware is also widely deployed in the core infrastructure of the financial industry. It powers Point-of-Sale terminals and PIN pads, ATM/ABMs, gas pumps, kiosks, Host Security Modules (HSMs), and more. TDES is supported in standards including ISO, ANSI, and PCI. And there are also many standard mechanisms built upon TDES. It's safe to say that the investment in TDES can be measured in the billions of dollars.

All of these standards bodies have been working diligently on updating everything built upon TDES. Industry has known for a long time that AES would replace TDES. As a result a lot of commercial information security gear has supported both TDES and AES in parallel. Extensive hardware upgrades should not be required. However, much of the migration costs will be on the so-called "soft" side in activities like management, configuration, and transition. The financial industry has additional challenges as changing financial cryptography requires a far more deliberate and careful approach to ensure they comply with a broad range of regulations and standards.

And while they often follow NIST guidance, it's a fairly safe bet that the financial industry will not want to replace or mitigate all of this kit quickly. So this raises some questions:

  • When (not if) they will follow NIST to deprecate TDES?
  • What will their guidance be?

If the financial industry chooses to deviate from NIST and delay sunset there is justification. We've previously recommended considering the strength of use-cases in transition planning and prioritization [See 2]. It is important to remember that while TDES has been deprecated as a general purpose cipher that some use-cases are inherently safer. We know that some of the financial industry's most widely deployed use-cases are safer. So delaying the sunset of these use-cases is neither unreasonable nor unjustified.

Learn More

  1. NIST published (SP) 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths. Details: https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
  2. Article discussing the implications to TDES and PCI: NIST Moves on Sweet32 – 3DES, Blowfish, and Others – Mostly Unsafe https://controlgap.com/blog/nist-moves-on-sweet32/
  3. AES was developed as a replacement for DES. It was standardized in 2001 and includes both stronger keys and stronger block lengths. See https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
  4. Triple DES (aka TDES, TDEA, and 3DES) was a clever way of strengthening and extending DES by using double and triple length keys to drive three encryption rounds. The design facilitated transition from DES using a single key mode. It was introduced in 1995. See https://en.wikipedia.org/wiki/Triple_DES
  5. Single DES was developed from 1973 and approved as a standard in 1976. An effort by EFF broke DES by brute force attack in 1998. See https://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology
[post_title] => NIST is Sunsetting Triple DES - so what will the Financial Industry do? [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => nist-is-sunsetting-triple-des-so-what-will-the-financial-industry-do [to_ping] => [pinged] => https://controlgap.com/blog/nist-moves-on-sweet32/ [post_modified] => 2019-04-09 14:56:49 [post_modified_gmt] => 2019-04-09 14:56:49 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1994 [menu_order] => 30 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 2048 [post_author] => 2 [post_date] => 2019-07-18 18:16:47 [post_date_gmt] => 2019-07-18 18:16:47 [post_content] =>

As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do to pass PCI?”

In almost all initial engagements as QSAs, PA-QSAs, and P2PE QSAs, one common question that we are asked is “What’s the minimum I need to do for PCI?”. The answer to this question can be frustrating for both the QSA and the client, because the answer is neither simple nor straight forward.

PCI DSS is a security framework which has a focus on an organization’s credit card processing operations. The requirements and scope are dictated by where an organization stores, processes and transmits credit cards, however it also includes the secondary systems and third parties that connect to, or may impact the security of, the environment where credit cards are used. It does not define all security controls an organization should have in place. Rather is looks at specific security controls and procedures to ensure that credit cards are handled in a secure manner.

As organizations become more aware of security and the fundamental role it plays throughout the enterprise, a new level of maturity begins to ensure that security processes, technologies and policies become engrained in the DNA of the organization. What many organizations do not realize is that once you have achieved PCI DSS compliance, invariably the enterprise will follow. Since organizational policies, standards and operational processes are modified to align to PCI DSS, the downstream effect is that all organizational systems, applications, business and IT operational processes are also reviewed and transformed.

The conversation then moves from “What’s the minimum for PCI?” to “Why are we not doing this for everything?” Which is the right direction of maturity.

An example I can share is an organization which stood up 2 environments for remote access.

  • The first environment was managed according to the requirements and processes that security required which also aligned to PCI DSS. This environment was solely used as the remote jump point into the cardholder data environment.
  • The second environment was initially created as identical to the first remote access environment; however, it was not bound by the same security “rules” as the first environment and was used as the remote jump point to access all non-cardholder data environment systems.

Long story short, within 6 months, the first environment was operational and had little to no functional problems. It was properly maintained with the correct change control, access management, no-repudiation and rigour that the security team wanted to implement within the organization. The second environment had issues with incorrect versions of software, additional/unapproved tools and software installed, and little to no tracking of activities that occurred within the environment, the system had become unstable and non-functional. It was decided to rebuild the environment from scratch and apply the same level of security rigour as the first environment. This example demonstrates how security controls can help an organization to reduce operational costs when adhered to.

Organizations need to spend less effort making PCI DSS compliance a project, and take the approach to modify, enhance or transform their current security processes and strategies to embrace any security framework that is required within their industry, whether it be PCI DSS, ISO 27001, PIPDEA, HIPA, GDPR, NIST or ITIL. The most mature organizations understand that security operations have a seat at the table help shape the direction and focus of the organization. The journey to compliance may be longer, but the effort pays dividends in the end. It has been our experience that organizations that embed security and compliance into their business as usual processes are more resilient to accepting changes in the business, more in tune with risks and threats to their organization, and better prepared to respond to their customers concerns.

Build a Mature Organization, Securely.

Learn more

[post_title] => What's the minimum I need to do for PCI? [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => whats-the-minimum-i-need-to-do-for-pci [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2019-07-18 18:16:49 [post_modified_gmt] => 2019-07-18 18:16:49 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=2048 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 55 [max_num_pages] => 19 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => 1 [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => 1 [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 0573d79d0a353cbc766661db59ba41a2 [query_vars_changed:WP_Query:private] => 1 [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
WP_Query Object ( [query] => Array ( [post_type] => post [post_status] => publish [cat] => 14, 134, 1 [orderby] => date [order] => desc [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 ) [query_vars] => Array ( [post_type] => post [post_status] => publish [cat] => 14 [orderby] => date [order] => DESC [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [static] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => charity [tag] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [update_post_term_cache] => 1 [suppress_filters] => [cache_results] => 1 [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => [comments_per_page] => 50 [no_found_rows] => ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( [0] => Array ( [taxonomy] => category [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id [operator] => IN [include_children] => 1 ) ) [relation] => AND [table_aliases:protected] => Array ( [0] => wpcm_term_relationships ) [queried_terms] => Array ( [category] => Array ( [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id ) ) [primary_table] => wpcm_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( ) [relation] => [meta_table] => [meta_id_column] => [primary_table] => [primary_id_column] => [table_aliases:protected] => Array ( ) [clauses:protected] => Array ( ) [has_or_relation:protected] => ) [date_query] => [request] => SELECT SQL_CALC_FOUND_ROWS wpcm_posts.ID FROM wpcm_posts LEFT JOIN wpcm_term_relationships ON (wpcm_posts.ID = wpcm_term_relationships.object_id) WHERE 1=1 AND ( wpcm_term_relationships.term_taxonomy_id IN (1,14,134) ) AND wpcm_posts.post_type = 'post' AND ((wpcm_posts.post_status = 'publish')) GROUP BY wpcm_posts.ID ORDER BY wpcm_posts.menu_order, wpcm_posts.post_date DESC LIMIT 0, 3 [posts] => Array ( [0] => WP_Post Object ( [ID] => 2048 [post_author] => 2 [post_date] => 2019-07-18 18:16:47 [post_date_gmt] => 2019-07-18 18:16:47 [post_content] =>

As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do to pass PCI?”

In almost all initial engagements as QSAs, PA-QSAs, and P2PE QSAs, one common question that we are asked is “What’s the minimum I need to do for PCI?”. The answer to this question can be frustrating for both the QSA and the client, because the answer is neither simple nor straight forward.

PCI DSS is a security framework which has a focus on an organization’s credit card processing operations. The requirements and scope are dictated by where an organization stores, processes and transmits credit cards, however it also includes the secondary systems and third parties that connect to, or may impact the security of, the environment where credit cards are used. It does not define all security controls an organization should have in place. Rather is looks at specific security controls and procedures to ensure that credit cards are handled in a secure manner.

As organizations become more aware of security and the fundamental role it plays throughout the enterprise, a new level of maturity begins to ensure that security processes, technologies and policies become engrained in the DNA of the organization. What many organizations do not realize is that once you have achieved PCI DSS compliance, invariably the enterprise will follow. Since organizational policies, standards and operational processes are modified to align to PCI DSS, the downstream effect is that all organizational systems, applications, business and IT operational processes are also reviewed and transformed.

The conversation then moves from “What’s the minimum for PCI?” to “Why are we not doing this for everything?” Which is the right direction of maturity.

An example I can share is an organization which stood up 2 environments for remote access.

  • The first environment was managed according to the requirements and processes that security required which also aligned to PCI DSS. This environment was solely used as the remote jump point into the cardholder data environment.
  • The second environment was initially created as identical to the first remote access environment; however, it was not bound by the same security “rules” as the first environment and was used as the remote jump point to access all non-cardholder data environment systems.

Long story short, within 6 months, the first environment was operational and had little to no functional problems. It was properly maintained with the correct change control, access management, no-repudiation and rigour that the security team wanted to implement within the organization. The second environment had issues with incorrect versions of software, additional/unapproved tools and software installed, and little to no tracking of activities that occurred within the environment, the system had become unstable and non-functional. It was decided to rebuild the environment from scratch and apply the same level of security rigour as the first environment. This example demonstrates how security controls can help an organization to reduce operational costs when adhered to.

Organizations need to spend less effort making PCI DSS compliance a project, and take the approach to modify, enhance or transform their current security processes and strategies to embrace any security framework that is required within their industry, whether it be PCI DSS, ISO 27001, PIPDEA, HIPA, GDPR, NIST or ITIL. The most mature organizations understand that security operations have a seat at the table help shape the direction and focus of the organization. The journey to compliance may be longer, but the effort pays dividends in the end. It has been our experience that organizations that embed security and compliance into their business as usual processes are more resilient to accepting changes in the business, more in tune with risks and threats to their organization, and better prepared to respond to their customers concerns.

Build a Mature Organization, Securely.

Learn more

[post_title] => What's the minimum I need to do for PCI? [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => whats-the-minimum-i-need-to-do-for-pci [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2019-07-18 18:16:49 [post_modified_gmt] => 2019-07-18 18:16:49 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=2048 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 2042 [post_author] => 2 [post_date] => 2019-06-19 02:17:19 [post_date_gmt] => 2019-06-19 02:17:19 [post_content] =>

It is amazing to see how many organizations take things for granted in their environment. In the video below, you can see a skimmer device installed in a retail location. The attendant was distracted for less than 20 seconds and the card skimming device was in place in 5 seconds. No special tools or techniques were required. The device is mounted to a stand which should, for all intents and purposes, be secure from theft or direct tampering but not an overlay.

Video from Inside Edition: https://youtu.be/5b1axnNK-wI

Sometimes the simplest processes like inspecting a device before use, can go a long way to ensuring thieves do not compromise your environment. Without a proper inspection procedure, this device may be in place for months before anyone were to notice.

PCI DSS Requirement 9.9 requires anyone with a POI device such as a pin pad to ensure that they have appropriate procedures to inspect devices to help detect tampering. This should apply to all devices whether or not it is a traditional counter-top device or a mobile device.

In your environment, how many times is an employee distracted and may leave their register or POI device unattended? Would they notice the change in the POI device? And lastly, have you ever considered testing staff in your retail locations to see how long it would take to notice?

Originally article: https://www.linkedin.com/pulse/why-poi-tamper-inspections-so-important-robert-spivak

[post_title] => Why POI Tamper Inspections are so Important [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => why-poi-tamper-inspections-are-so-important [to_ping] => [pinged] => [post_modified] => 2019-06-19 10:59:04 [post_modified_gmt] => 2019-06-19 10:59:04 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=2042 [menu_order] => 19 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1994 [post_author] => 2 [post_date] => 2019-04-09 14:30:00 [post_date_gmt] => 2019-04-09 14:30:00 [post_content] =>

NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple DES by the end of 2023. Afterwards it will only be recommended for legacy use which means decryption only.

Triple DES (aka TDEA/TDES) is used to protect Web Sites, Virtual Private Networks, remote sessions, e-commerce transactions, and more. TDES is embedded in the hardware of commercial and consumer products including network gear like routers, firewalls, VPNs, and load balancers; and computers like servers, PCs, and laptops. TDES hardware is also widely deployed in the core infrastructure of the financial industry. It powers Point-of-Sale terminals and PIN pads, ATM/ABMs, gas pumps, kiosks, Host Security Modules (HSMs), and more. TDES is supported in standards including ISO, ANSI, and PCI. And there are also many standard mechanisms built upon TDES. It's safe to say that the investment in TDES can be measured in the billions of dollars.

All of these standards bodies have been working diligently on updating everything built upon TDES. Industry has known for a long time that AES would replace TDES. As a result a lot of commercial information security gear has supported both TDES and AES in parallel. Extensive hardware upgrades should not be required. However, much of the migration costs will be on the so-called "soft" side in activities like management, configuration, and transition. The financial industry has additional challenges as changing financial cryptography requires a far more deliberate and careful approach to ensure they comply with a broad range of regulations and standards.

And while they often follow NIST guidance, it's a fairly safe bet that the financial industry will not want to replace or mitigate all of this kit quickly. So this raises some questions:

  • When (not if) they will follow NIST to deprecate TDES?
  • What will their guidance be?

If the financial industry chooses to deviate from NIST and delay sunset there is justification. We've previously recommended considering the strength of use-cases in transition planning and prioritization [See 2]. It is important to remember that while TDES has been deprecated as a general purpose cipher that some use-cases are inherently safer. We know that some of the financial industry's most widely deployed use-cases are safer. So delaying the sunset of these use-cases is neither unreasonable nor unjustified.

Learn More

  1. NIST published (SP) 800-131A Revision 2, Transitioning the Use of Cryptographic Algorithms and Key Lengths. Details: https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
  2. Article discussing the implications to TDES and PCI: NIST Moves on Sweet32 – 3DES, Blowfish, and Others – Mostly Unsafe https://controlgap.com/blog/nist-moves-on-sweet32/
  3. AES was developed as a replacement for DES. It was standardized in 2001 and includes both stronger keys and stronger block lengths. See https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
  4. Triple DES (aka TDES, TDEA, and 3DES) was a clever way of strengthening and extending DES by using double and triple length keys to drive three encryption rounds. The design facilitated transition from DES using a single key mode. It was introduced in 1995. See https://en.wikipedia.org/wiki/Triple_DES
  5. Single DES was developed from 1973 and approved as a standard in 1976. An effort by EFF broke DES by brute force attack in 1998. See https://en.wikipedia.org/wiki/Data_Encryption_Standard#Chronology
[post_title] => NIST is Sunsetting Triple DES - so what will the Financial Industry do? [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => nist-is-sunsetting-triple-des-so-what-will-the-financial-industry-do [to_ping] => [pinged] => https://controlgap.com/blog/nist-moves-on-sweet32/ [post_modified] => 2019-04-09 14:56:49 [post_modified_gmt] => 2019-04-09 14:56:49 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1994 [menu_order] => 30 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 2048 [post_author] => 2 [post_date] => 2019-07-18 18:16:47 [post_date_gmt] => 2019-07-18 18:16:47 [post_content] =>

As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do to pass PCI?”

In almost all initial engagements as QSAs, PA-QSAs, and P2PE QSAs, one common question that we are asked is “What’s the minimum I need to do for PCI?”. The answer to this question can be frustrating for both the QSA and the client, because the answer is neither simple nor straight forward.

PCI DSS is a security framework which has a focus on an organization’s credit card processing operations. The requirements and scope are dictated by where an organization stores, processes and transmits credit cards, however it also includes the secondary systems and third parties that connect to, or may impact the security of, the environment where credit cards are used. It does not define all security controls an organization should have in place. Rather is looks at specific security controls and procedures to ensure that credit cards are handled in a secure manner.

As organizations become more aware of security and the fundamental role it plays throughout the enterprise, a new level of maturity begins to ensure that security processes, technologies and policies become engrained in the DNA of the organization. What many organizations do not realize is that once you have achieved PCI DSS compliance, invariably the enterprise will follow. Since organizational policies, standards and operational processes are modified to align to PCI DSS, the downstream effect is that all organizational systems, applications, business and IT operational processes are also reviewed and transformed.

The conversation then moves from “What’s the minimum for PCI?” to “Why are we not doing this for everything?” Which is the right direction of maturity.

An example I can share is an organization which stood up 2 environments for remote access.

  • The first environment was managed according to the requirements and processes that security required which also aligned to PCI DSS. This environment was solely used as the remote jump point into the cardholder data environment.
  • The second environment was initially created as identical to the first remote access environment; however, it was not bound by the same security “rules” as the first environment and was used as the remote jump point to access all non-cardholder data environment systems.

Long story short, within 6 months, the first environment was operational and had little to no functional problems. It was properly maintained with the correct change control, access management, no-repudiation and rigour that the security team wanted to implement within the organization. The second environment had issues with incorrect versions of software, additional/unapproved tools and software installed, and little to no tracking of activities that occurred within the environment, the system had become unstable and non-functional. It was decided to rebuild the environment from scratch and apply the same level of security rigour as the first environment. This example demonstrates how security controls can help an organization to reduce operational costs when adhered to.

Organizations need to spend less effort making PCI DSS compliance a project, and take the approach to modify, enhance or transform their current security processes and strategies to embrace any security framework that is required within their industry, whether it be PCI DSS, ISO 27001, PIPDEA, HIPA, GDPR, NIST or ITIL. The most mature organizations understand that security operations have a seat at the table help shape the direction and focus of the organization. The journey to compliance may be longer, but the effort pays dividends in the end. It has been our experience that organizations that embed security and compliance into their business as usual processes are more resilient to accepting changes in the business, more in tune with risks and threats to their organization, and better prepared to respond to their customers concerns.

Build a Mature Organization, Securely.

Learn more

[post_title] => What's the minimum I need to do for PCI? [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => whats-the-minimum-i-need-to-do-for-pci [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2019-07-18 18:16:49 [post_modified_gmt] => 2019-07-18 18:16:49 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=2048 [menu_order] => 14 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 55 [max_num_pages] => 19 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => 1 [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => 1 [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 0573d79d0a353cbc766661db59ba41a2 [query_vars_changed:WP_Query:private] => 1 [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
What’s the minimum I need to do for PCI?
July 18 2019

As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do to pass PCI?” In almost all initial engagements as QSAs, PA-QSAs, and P2PE QSAs, one common question that we are asked is “What’s the minimum I need

Read More
Why POI Tamper Inspections are so Important
June 19 2019

It is amazing to see how many organizations take things for granted in their environment. In the video below, you can see a skimmer device installed in a retail location. The attendant was distracted for less than 20 seconds and the card skimming device was in place in 5 seconds. No special tools or techniques

Read More
NIST is Sunsetting Triple DES – so what will the Financial Industry do?
April 9 2019

NIST recently published a document “Transitioning the Use of Cryptographic Algorithms and Key Lengths” which formalizes the sunset of Triple DES by the end of 2023. Afterwards it will only be recommended for legacy use which means decryption only. Triple DES (aka TDEA/TDES) is used to protect Web Sites, Virtual Private Networks, remote sessions, e-commerce

Read More

e-newsletter

Want important PCI information delivered to you? Sign-up to our e-newsletter and be the first one to know about industry news and trend, offers and promotions.

×

Contact

×

PCI Pilot™ is coming soon!

Our highly-anticipated online tool will be launching very soon to make your PCI SAQ process quick and seamless.

Sign-up today and be among the first to know when PCI Pilot™ is live!