SRM Blog

Do not wait until it’s too late – engage a PFI company now!

Do not wait until it’s too late – engage a PFI company now!’ That is the advice given by Jeremy King, International Director, PCI Security Standards Council in his closing speech at last week’s PCI London event. He’s right of course. Too many organisations wait until there is a crisis – a potentially crippling breach of their data card security – before they make their first contact with a Payment Card Industry Forensic Investigator (PFI).

It could be compared to a fire. If a sound working partnership has been developed with a fire officer then all reasonable preventative measures will have been taken. The chances of a fire being established and taking hold are minimised. Yet even the most robust preventative strategies cannot eliminate an unforeseen event and no matter how many potential fires are avoided, it only takes one wilful arsonist or one electrical fault to wreak chaos.

Even in the event of such a catastrophe, having a trusted relationship with an expert professional is still hugely beneficial. Here the analogy to a fire becomes a bit shaky, but imagine if a fire is taking hold and there is someone who not only understands how to put the fire out, but also knows where all your valuables are kept, who is particularly vulnerable and also has the capability to deploy the fire fighters immediately thereby reducing its impact. That is what a PFI does when it comes to managing data breeches.

The fact is that breaches can and do occur. Even to those with full PCI DSS compliance and strong defences. If a business is identified as the ‘common point of purchase’ for a breach then a PFI forensic investigation is a regulatory requirement of the Brands. But a trusted and engaged PFI company will already have an intimate knowledge of that company, its systems and key personnel, ensuring that fraudulent activity is stopped and remedial action taken in the shortest possible time frame. This will save time and money, while also protecting the company’s reputation.

It is not all about crises, however. It is important to note that PFI companies have a much wider scope of expertise than simply conducting forensic investigations. They can help to manage and drive all aspects of a company’s online security, providing a holistic approach to the whole range of issues from data storage to Incident Response Planning. Crucially, they will also provide the expertise to provide a robust defence without compromising the ability of the business to trade.

SRM is one of only 22 companies worldwide accredited by the Payment Card Industry to investigate breaches of credit card data. It has the largest experienced PFI team in Europe which includes a large number of qualified PCI PFIs. Our expertise goes beyond PFI, to include all aspects of information security management and the implementation of PCI DSS.

Changes to the Issuer Identification Number (IIN) standard

The numbers on payment cards are going to become longer. This is because of changes which are being made to the international standard (ISO/IEC 7812) under which Issuer Identification Numbers (IINs) are issued. The changes have come about because of the increasingly dwindling number of IINs that remain open for registration.

IINs currently appear as the first six digits on payment cards. The leading digit is the major industry identifier (MII), followed by five digits, which together make up the IIN. But due to an increasing demand for these unique identifying numbers, the International Organization for Standardization (ISO) is expected to publish revised standards which will change IINs from six to eight digits. The overall Primary Account Number (PAN), which is generally understood to reflect the IIN plus the unique number assigned to an individual or company, may consequently increase in length to reflect this change.

Visa announced in July 2015 that it expected that they would continue to support a PAN length of 16 digits. This was after stakeholder consultation within the industry. A change that is seemingly as minor as this turns out to have some significant ramifications to any entity that accepts payment cards in that the application are generally designed to expect card numbers of certain lengths, depending on the card issuer. Changing these values would require updated software in all devices or systems that accept a payment card – no small task.

So what about the security implications of this change? If the IIN is increased to 8 digits and the PAN remains 16 digits, the unique value assigned to the card has in effect been reduced from 10 to 8 digits. Does this pose a potential security weakness to card numbers? This point has not been missed by the industry and discussions are afoot to try and counteract this change.

The draft of the revised standard has been approved by ISO members and is due to be published in early 2017. Businesses and organisations which require IINs should be aware of these imminent changes and should begin a process of planning and analysis to identify any potential system and process impacts. At the moment it is all conjecture, but it seems likely that something will have to change at a standard level before vendors start to make updates to their software and merchants start rolling these changes out.


The main points of the revised version of the ISO/IEC 7812 standard are:

  • The Registration Authority (RA) will start assigning eight-digit IINs to any institution applying for a single IIN or block of IINs.
  • Issuers with eight-digit IINs will be required to issue a minimum PAN length of ten digits. The maximum will continue to be 19 digits in length, (with Visa supporting the current standard of 16).
  • Existing six-digit IINs will be converted into a block of a hundred eight-digit IINs. As the majority of issuers are unlikely to need all one hundred of these, they are encouraged to return any unused eight-digit IINs to the RA.
  • Any ISO/IEC standards referencing ISO/IEC 7812-1 should be reviewed for potential impacts.

All users of ISO/IEC 7812-1 are strongly advised to begin planning and analysis to identify any potential system and process impacts associated with their plans to adopt the new standard.

The security implications of the extended IIN lie in the detail. Visa are currently undertaking systems analysis and development, which they expect to be complete by 2019, three years ahead of the proposed change. Currently the PCI standard is only built to accommodate the masking of the first six and last four of the sixteen digit card number. It may be that the PCI council will have to have a look at changing the standard to accommodate this new field length without altering the security posture of the masking.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

What is an Incident Response Plan?

Information security breaches can and do happen, even to the best prepared organisations. Every year, companies that have demonstrated ongoing PCI DSS compliance will still fall victim to an information security breach. Because, in the war for our card data security, the enemy always has the element of surprise.

Most can imagine a scenario which would compromise their security. A serious fire destroying the whole office function. A rogue employee exposing customer data. A terrorist or criminal hacking their systems. With a war fought on so many fronts, however, it is impossible to defend against all attacks. Because an organisation that is defended to the hilt is also likely to be impenetrable, and therefore not in the business of doing business.

In this war of attrition, some attacks will get through. And the repercussions could be disastrous if there is a long delay in getting the business back on its feet. But the aftermath need not be catastrophic. Recovery can be accelerated to restore normal trading in the shortest possible time frame. That is where a robust Incident Response Plan comes in. Not only does it go a long way toward anticipating and avoiding potential disasters but if an organisation is compromised, it will mitigate the damage and accelerate the road to revenue and reputational recovery.

PCI DSS Requirement 12.10 states that entities must “be prepared to respond immediately to a system breach.” Guidance notes go on to state that such a plan should be “thorough, properly disseminated, read, and understood by the parties responsible”; and include proper testing at least annually to ensure the process works as designed and to mitigate any missed key steps to decrease exposure.

In reality, while all PCI DSS compliant organisations have a degree of incident response capability, in some cases this is simply a box ticking exercise. Few have an adequate Incident Response plan which fully outlines the process for recovery in any number of situations and provides a framework for rapid restoration.

Planning is the key to an effective strategy. It is also important to consider bringing in professional expert support at this stage to assist in developing and maintaining an Incident Response plan that not only ticks the boxes but actually delivers in the event of a breach. If a breach does occur, having engaged professional support, it means that there are expert investigators with an intimate knowledge of your organisation on standby. They will ensure the breech is stemmed, card holder data is secured and revenue generating activities suffer minimal impact. The cost of professional input must be seen as cost effective in the context of restoring business function.

Hot water and PCI compliance

There are a lot of online registers for reputable tradesmen. Many of these provide contact details for reliable plumbers in any given area, together with ratings and personal recommendations. In theory, you need look no further: your job will be completed to your entire satisfaction. On time. And in budget.

Yet, in reality most of us know that there is a still a measure of personal responsibility required to check out whether the credentials are genuine and the glowing testimonials are accurate. Because if one small element of a plumbing job is overlooked, it is our shower that runs cold, not the tradesman’s. In the end, you can outsource any job but, if even a small part of it goes wrong, you are the one that ends up in hot (or cold) water.

So, when Visa makes claims for its Global Registry of Service Providers, it is worth applying the same critical faculties. That is not to cast any aspersions on the integrity of the list because it is an extremely valuable tool. But the sole responsibility for an organisation’s payment card security lies with that organisation; not with a third party which operates behind the scenes.

PCI Requirement 12.8 states that businesses must ‘maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.’

They are also obliged to keep a list of all the service providers that fall under this banner and to have a program to monitor these third parties’ compliance programs too. And checking the Visa list is one way of doing that. But your organisation’s security measures must go much deeper – and more personal – than this. It is advisable to have a nominated person within the business to manage PCI compliance and also to maintain the policy for engagement with third parties, like due diligence checks for example.

Having a checklist of what is required is also very important. If you are going to outsource some of the security functions to a third party, you will need to check that no elements of your security management framework have fallen down the cracks. For instance, if you outsource physical destruction of paper media that contains some sensitive info (like card numbers and order data), the third party must be able to demonstrate that, even if they are registered with the Visa (or any other) list for some of their operations, they have been assessed for the elements of the PCI standard that deal specifically with physical security and data destruction.

This method, often referred to as the Third Party Compliance Matrix is a neat way of mapping out all of the requirements and ensuring that total coverage is achieved across your own business and via the various third parties that you use.

Ultimately, you can outsource virtually every aspect of your payment card management apart from the actual responsibility to securely manage your environment. Risk transfer Is all about making sure you understand the contractual relationship and the obligations of your third party suppliers. This responsibility lies with you and only you. If something goes wrong, it is you that will end up in hot water, rather than the fairly anonymous third party behind the scenes. Which brings us back to the dodgy plumbing and the cold shower.

What is the difference between a penetration test and a vulnerability scan?


Penetration testing and vulnerability scanning are sometimes confused. After all, they sound as if they might do a similar job. But there are important differences.

Also known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses, also known as vulnerabilities. The benefits of a vulnerability scan are obvious: quick, affordable and because they are automatic, they can be scheduled to run on a regular basis. To configure a vulnerability scan, you usually set up an account with an automated scanning tool and enter the details of the device (or devices) that you want to have scanned – and off you go.

But beware: vulnerability scans may provide false reassurance. They are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. The scans are generally of a prescribed nature, in that they are checking for known issues and patches according to a database. They do not inform about the potential exploitation of vulnerabilities nor how to reliably manage remedial action. By their very nature, they cannot understand or anticipate the complex ingenuity of sophisticated human hackers. It simply shows you where your weaknesses may be.

A penetration test on the other hand, simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities, which is why they are sometimes referred to as ‘ethical Hacks’. But unless properly scoped by experienced professionals, a penetration test is limited by what it is asked to do. Because it cannot think for itself. This is where the value of ‘scoping’ comes in. A correctly-scoped penetration test utilises the most important tool in the penetration test armoury: the human mind. A penetration tester will often start out with a similar set of tools, including the use of a vulnerability scan but this is where the penetration test deviates and begins to delve much deeper in the security of a network, applications and the underlying operating system.

A qualified penetration tester is able to think laterally; using both training and experience to analyse and synthesise.  They will put themselves into the mind of a hacker and have the imagination to anticipate possible future weaknesses. Penetration testers provide a deep look into the data security of an organisation and typically, their reports are meticulously detailed and contain a description of attacks used, testing methodologies, and suggestions for remediation.

So how should you best use vulnerability scans and penetration tests? Well, ideally, both tests work together to encourage optimal network security. Vulnerability scans are great for a weekly, monthly or quarterly insight into your network security, while penetration tests are a very thorough way to really put your network security under the microscope. Of course, penetration tests are more expensive, but having a professional examine every nook and cranny of a business the way a real world attacker would, may save a great deal of money in the long run.