Monthly Archive March 2017

Does outsourcing card processing make you PCI compliant?

By Paul Brennecker, Senior Information Security Consultant & Principal QSA

The Payment Card Industry Data Security Standard (PCI DSS) lists a number of myths relating to PCI compliance. One of these is that outsourcing card processing makes a business compliant. Indeed it does not. No matter which third party is used, outsourcing card data processing does not abnegate the ultimate responsibility. That remains with the merchant. It is still, however, a method used by the majority of retailers to achieve PCI compliance. So, what are the issues with outsourcing and what should you be aware of?

A few years ago the question was posed: ‘Why do you need to keep the card data?’ and an awful lot of retailers stopped and thought ‘we don’t need it at all’. Some had previously used the card number as a unique identifier for customer loyalty tracking but with the advent of more sophisticated schemes for doing this, there is now no reason for the card number to be retained in most cases.

Outsourcing card data payments has become a popular option and it is easy to see why. When a merchant uses a validated third party to capture the payment information from their own website, the actual process of data capture bypasses their systems. In this way, they need not hold client data in-house and thus alleviate some of the obligations associated with PCI compliance. If they are able to demonstrate clearly that no data resides in the Merchant Environment, this means that in most circumstances a PCI SSC Self Assessment Questionnaire A will suffice. This reduces the scope of the PCI compliance program to just 22 controls. A significant number of these controls are related to selecting and managing third parties, but nonetheless the burden of compliance is much lighter on the merchant.

The one thing that can never be outsourced, however, is the responsibility to manage the environment responsibly. Merchants have a contract with an acquiring bank and it is the job of the acquirer to administer penalty fees for non-compliance and for data breaches. If the merchant uses a third party that suffers a data breach, the acquirer will still usually pass the fine to the merchant. They in turn will look at whether the third party was responsible for the data breach and pass the fine on to them. It is for this reason that the contractual arrangements with the third parties must be water tight. There must be a clear assignment of responsibility for the security of data that is shared with the third party and the ability to pass on any penalty fees that are applied as a result of loss of data.

A few further words of caution. Outsourcing simplifies payment card processing but does not provide automatic compliance. Nor is PCI compliance on its own sufficient to protect the Merchant Environment. Like a car MOT, it is only a reflection of the state at a given point in time. Threats to data security continue to rise in both number and level of sophistication. Only a continuous process of assessment and remediation will provide a robust defence against the theft of cardholder data. For more information on all issues relating to compliance and SRM’s portfolio of services click here.

Who’d want to be a University CISO?

Spare a thought for the University CISO: ‘As a group, CISOs live on a knife’s edge and do not sleep very well. They know that a breach is inevitable.’ So said William Hugh Murray in an Open Letter to Target CISO Candidates. It may sound bleak but new CISOs who are half way through their first academic year might, however, recognise its reality.

Given the fact that they are responsible for any breach of the University’s defences, being a CISO undoubtedly carries certain implicit risks and pressures. In the wider business world, the Ponemon Institue researchers estimate that the CISO’s average tenure is just 2.1 years and also revealed that 24% of respondents said that being a CISO was the ‘worst job they ever had’. Not the best advertisement for the role, but there is a positive here because in understanding the issues, we have also come to understand the solution.

In essence, the problem is that the CISO job description is changing. It’s no longer enough to be an expert in information technology; the CISO of 2016 is also expected to be a business leader, IT leader, finance leader and an excellent people influencer and navigator. It’s a tall order and one that few have the qualifications or experience to fulfil without additional professional support.

Yet, although the evolution of the role is undoubtedly underway, only a few Universities have also recognised the benefit to be gained from ongoing professional CISO support. Just as the finance department is not expected to function without input from professional accountants, nor the legal department without access to specialist solicitors and barristers, so the CISO benefits from a collaborative relationship with information security specialists whose role it is to support, enhance and resource the CISO function within the University.

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

As Britain navigates its way through the choppy waters of Brexit, there is a great deal of uncertainty about exactly what form our new relationship with Europe will take. In many ways our trading relationships will change; this is the inevitable uncertainty. But on one level the situation is significantly clearer: UK businesses will still be required to comply with EU law if they wish to maintain any trade links with European customers. So the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018 will still apply to most of us.

But the trouble with certainty is that it is rarely ever that simple. When it comes to our relationship with Europe it appears that the words of John Allen Paulos, an American Professor of Mathematics apply: ‘Uncertainty is the only certainty there is’. So where does this leave the CISO, whose responsibility it is to ensure compliance with not only GDPR but also any future UK and EU regulations? Well the clever mathematician went on to say that ‘knowing how to live with insecurity is the only security.’ And this is the key.

By accepting a degree of insecurity and establishing a means by which to manage it, a CISO can maintain compliance and provide strategic direction for the company’s information security agenda. The following steps will help to navigate this difficult course.

  1. Continue to steer towards whole company compliance with the existing information security standards like PCI DSS, Cyber Essentials, ISO 27001 and ISO 9001. Embedding these standards within your business will ensure you are well placed to deal with new challenges on the horizon.
  2. Work with an established professional team which will not only help you set your course but will also support, enhance and resource your information security strategic agenda. As industry experts they will know about impending changes and will ensure your compliance objectives take these into account.
  3. Make sure everyone on your ship is heading in the same direction. To do this you will need to exert board level influence. With access to high level of technical expertise and strategic guidance the CISO will be able to articulate the state of information security to the company stakeholders and lead employees, accessing company-wide support and making the case for adequate resource. This will set you up to be flexible and responsive to change.

SRM’s VirutalCISOTM has been developed to provide a cost effective bespoke solution to organisations without a CISO or where a board level strategic adviser is required to ensure Information Security remains high on the board agenda. The SRM VirutalCISOTM has access to an extensive portfolio of professional services to help embed Information Security throughout your organisation.

New face in cyber crime investigation

There is a new face at the forefront of investigating cybercrime in the UK. Newcastle-based Security Risk Management has achieved another success for its SRM Academy Programme. With over five years’ industry experience and six months of preparation, 26-year old Mustafa El-Jarrah has become one of the youngest Payment Card Industry (PCI) Qualified Security Assessors (QSA) in the world.

As a PCI QSA, 26- year old Mustafa has also been accepted by the PCI as a Payment Card Forensic Investigator (PFI). Only six companies in the UK operate in this field and Security Risk Management (SRM), which Mustafa joined in 2015, is one of these.

The SRM Academy was established to address the national shortage of top level qualified cyber security consultants. Delivering elements of cyber security training to colleges in the North East, Newcastle-based SRM Ltd also employs individuals with potential and then provides them with training in house. SRM Ltd now boasts the largest number of QSAs of any cyber security company in Europe.

Brian Fenwick, Director, says: “We are one of only 18 companies in the world accredited by the Payment Card Industry to investigate breaches of credit card data, and one of only six in the UK.  As an aspect of maintaining this standard we prioritise recruitment and training. We run an internal training programme as well as ensuring that those studying to become QSAs attend numerous client sites with an experienced QSA to assist with the practical elements of the course.”

In his new role, where instances of data theft occur Mustafa will be called upon to deal with the investigation of major incidents. Forensic investigation work often deals with various types of online theft. Either of significant sums from online transactions or in terms of personal data theft. Both forms of theft put individuals at risk of a host of other fraud issues.

Once the source is identified, remedial action can be taken swiftly to return a business to an operational level. SRM Ltd consultants will advise on effective damage limitation and work in partnership with the company involved to re-establish normal trading as quickly as possible and support the achievement of PCI DSS Compliance as required.

The technology gap which leaves organisations vulnerable to attack

While all of us are aware of the need to protect our organisation’s technology from potential threats and security breaches, few are fully aware of the gaps that exist which leave us vulnerable to information security attack.

Indeed, most of us have invested in a combination of technical services and technology to process the information needed to do business, hoping we have taken the steps necessary to establish a line of defence against potential attack. The harsh truth is, however, that in many cases, these products and services were not designed to work with each other and experience shows it is normally the gaps between these tools and services that lie at the root of most of the security challenges facing businesses and organisations. This means that our investment is often undermined and crucially we are often unaware of this vulnerability until it is too late.

To fill this gap, we need someone who understand the current information risk environment in which the business operates and who can take responsibility for all strategic information security goals – the role of CISO – with proven experience and authority to perform the function for their business or organisation. This individual needs to inform, influence and support the organisation’s board, shareholders or partners and requires knowledge and resources to engage their full support. This applies to micro businesses through to large companies and institutions.

Whatever the size of an organisation, one individual needs to be responsible for information security and that person is usually the Chief Information Security Officer (CISO). In smaller companies, this is likely to be one of a number of roles held and may not realistically be the focus. Yet the implications of a security breach are far reaching, both in terms of finance and reputation, so the CISO role is a vital one.

Few would ever expect to manage the full accountancy or legal function of an organisation in house, relying on expert professional guidance and resource to deliver effective solutions. It is within this context that SRM has developed VirtualCISO. In reality this service goes above and beyond the simple task of filling the gap. But it is not intended to replace or undermine the roles of Chief Technical Officer (CTO) or CISO in any way, rather enhancing, resourcing and advising these officers on how best to manage all aspects of Information Security Risk.


SRM Blog

SRM Blog