Summer holidays: don’t take your eye of the PCI DSS ball

The summer months are traditionally a time when hard-working people take a break. Those left in the office can end up feeling over-stretched or less-motivated than normal. But it is not a time for anyone to take their eye off the ball. Visa has issued new advice on how to Play it Safe this Summer, emphasising once again that working with the right partners is ‘crucial to protecting the cardholder environment’ and ensuring that PCI DSS compliance is met and maintained.

Produced for the US market, Visa’s analogy is based on the principles of baseball but it goes something like this:

First basefollow secure procedures

Ensure service providers follow secure procedures when using remote access to reach your environment. Service providers accessing a merchant’s Point of Sale (POS) system using remote access must follow secure procedures and those providers should go through the QIR certification program if eligible. This protects against data breaches and helps to facilitate compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Second base – change passwords

Change all default passwords to strong, multivariable passwords. The Verizon Data Breach Investigations Report (DBIR) found that 81% of breaches in 2016 occurred because criminals used either stolen and/or weak passwords. Requiring all employees to create complex passwords, and to change them often, adds a critical level of security to the environment.

Third base – ignore suspicious emails

Remind employees to ignore any suspicious emails and report them to IT. The DBIR found that 1 in 14 users were duped into opening an attachment from a phishing email and ‘95% of phishing attacks that led to a breach were followed by some sort of software installation’. Informing employees about phishing schemes will help prevent security lapses in the future.

Home run – partner with a Registered Service Provider

Partner with a Registered Service Provider. Soha Systems Survey on Third Party Risk Management found that 63% of all data compromises involve a third party vendor. Service providers listed on the Visa Global Registry of Service Providers meet Visa’s requirements for validating compliance with industry security requirements. Using these registered providers helps to secure the promise of a trusted payment system.

PCI DSS – seek professional advice

Establishing an organisation’s exact PCI DSS requirements can be a complex business and professional advice should be obtained.

SRM is an accredited QSA Company. Our team of QSAs can conduct your PCI assessment to validate and maintain your compliance with the PCI DSS. We have a wealth of experience in helping companies understand not only how to comply but how to reduce the scope to make compliance each year as simple as possible. From understanding how to complete the SAQ document right through to full PCI assessments for FTSE 100 companies, SRM has the qualifications and expertise to complete the task in a robust and cost-effective way. We also have an established Retained Forensics service which identifies and mitigates the risk of a potential breach.





Network intrusions are on the increase: time to engage a Retained Forensics specialist

This month Visa has reported an increase in the number of network intrusions involving service providers. It also reports increases in re-breaches of merchant payment environments and skimming incidents (July 2017). The company has therefore issued an alert to remind merchants of their obligations if a compromise occurs and to advise on the need to engage a Retained Forensics specialist.

It is not uncommon for card processors to send out emails warning of heightened risks. Yet it appears these are often overlooked in busy inboxes. In this instance, the warning is very real as card usage in the UK continues to rise.

The most recent statistics from Visa reveal that in April 2017 1,386 million purchases were made in the UK. That is a total spend of £58 million in one month alone and represents a number of ongoing upward trends including an overall increase in the usage of cards. Contactless payments now account for 30 per cent of total purchases compared to 16 per cent a year ago. It is not surprising that ingenious criminal minds are ramping up their activity in the card payment environment.

The message in Visa’s warning is that prevention is better than cure. If a suspected or confirmed data compromise occurs the PCI will compel the merchant to engage a PCI Forensic Investigator (PFI) at their own cost. If failure to protect the card environment is discovered, then fines are inevitable. In this instance the cost of mitigation together with the damage to a business’ reputation will be considerable.

Visa’s alert specifically mentions the recommendation to engage a Retained Forensics specialist to prevent a potential breach occurring in the first place. In today’s card processing environment, never has engaging a Retained Forensics team made better business sense.

This is where we come in. At SRM we are one of a handful of companies in the UK retained by the PCI to carry out PFI investigations. But we also offer a bespoke Retained Forensic service, which uses this expertise to proactively manage systems before an attack occurs. In this way, organisations can use our Data Forensic Investigations team to meet compliance requirements but also to build robust defences and test those strategies in a controlled manner, before the worst actually happens.

We do not recommend services or tools you do not need, preferring to use our extensive experience and understanding of the online retail world to set up a targeted plan of action and remediation which will keep your business compliant and as secure as it is possible to be. Given the persistence and resilience of cyber attackers there is a remote chance that a system might still be attacked. With a robust plan in place, however, remedial action will be swift, minimising financial and reputational damage. Demonstrating a proactive approach to protecting your customer’s data also puts you in a stronger position when dealing with acquiring banks or any other regulatory authorities.

Retained PCI Forensic Investigation (PFI) Service

Time running out for GDPR compliance

Time is running out for UK businesses. By 25th May 2018 every business, charity and organisation needs to be ready for the General Data Protection Regulation (GDPR). Because from that date, EU regulators will start enforcing compliance. Yet a recent survey found that only 11 per cent of companies said their preparations are ‘well underway’ while 61 per cent admitted they had not even started the task of GDPR implementation. There are just 300 days to go.

GDPR compliance requires commitment and action and with only ten months to go the pressure is on to take it very seriously indeed. An estimate by Gartner states that only 50 per cent of companies will be ready by the end of 2018, let alone May. With the power to impose much larger fines, GDPR needs to be taken very seriously indeed. To put it in context, the fines imposed on UK organisations by the Information Commissioner’s Office (ICO) last year totalled £880,500. Under GDPR those fines would be closer to £69 million.

So, why are British companies lagging behind? Perhaps some feel that the challenge and expense of embedding GDPR in their organisation is mitigated by the fact that only a few will be caught by regulators during the early bedding-in period. This may be true to an extent. We are unlikely to see thousands of cases being brought. But it is possible that EU regulators will go for shock and awe tactics in the first few months, imposing bold enforcement actions and large fines on a few transgressors to serve as a lesson to all. No one wants to be made an example of.

In the end, however, it is not fear of punishment but pressure from within that will push GDPR compliance forward. With processors, vendors, data controllers and suppliers all tied in to each other’s compliance, those that do not comply will be dropped in favour of those that do.

To support GDPR readiness, the ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes  website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations. The practical realities of assessing your existing level of readiness together with a targeted schedule of actions is best produced in partnership with a specialist information security consultant. In this way, you can prioritise and plan according to your organisation’s unique requirements.

SRM has a wide range of knowledge and practical experience. Our teams are GCHQ approved and GDPR practitioners, working with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur. However, with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.

GDPR – The General Data Protection Regulation

GDPR: the impatient tiger


What does GDPR mean to SMEs?

by Melanie Taylor, Information Security Consultant

“With less than a year to the deadline for compliance with the General Data Protection Regulation, all companies should have assessed what they need to do and should be working on that”. So says the Information Commissioner’s Office. Anyone wondering about their company’s preparedness should prioritise the appointment of a data protection officer (DPO) to ensure compliance from 25th May 2018.

When it comes to the appointment of a DPO there is no exemption for small to medium-sized enterprises (SMEs). In the final version of the GDPR, all organisations that carry out large-scale systematic monitoring of individuals, such as online behaviour tracking or large-scale processing of data, are required to appoint a DPO either in the form of an in-house employee or a contractor

While there is a general derogation for SMEs this only applies to record-keeping and processing activities, and does not apply if an organisation is processing personal data that could result in a risk to the rights and freedoms of an individual, or the processing of special categories of data or criminal convictions and offences.

In all companies good data governance is an issue which should be addressed at board level. It is not simply the task of the IT department to ensure compliance. Everyone in an SME needs to understand the importance of GDPR compliance; not least because it makes good business sense. Research by the ICO shows that 77 per cent of consumers are concerned about their personal data, 20 per cent would move their business elsewhere in direct response to a breach.

But for added leverage, it is worth pointing out the significantly larger fines that can be imposed for non-compliance under GDPR. It has been estimated that the ICO fines imposed after the implementation of GDPR in May 2018 will be 79 times higher than they were under the Data Protection Act.

The good news is that those companies that are already compliant with current UK data protection law will not have much to do to comply with the GDPR. But they will at least have to check that they are able to comply with what is new, such as the right to be forgotten, right to data portability and the new consent rules for processing

SMEs should also note that data breach notification is another important requirement to be introduced by the GDPR. Organisations need to ensure they have the procedures in place to detect, investigate and report personal data breaches. In fact, failure to report a personal data breach within 72 hours of identifying it will result in a fine as well as the breach itself.

SRM has operated in the data security environment for many years. With a wide range of knowledge and practical experience, our consultants are ready to help you understand the risks to your information and manage them effectively. Our specialist team provides a full portfolio of services which include data protection. We can assist companies to be in a more ready state for GDPR compliance when it comes into effect next year.

GDPR – The General Data Protection Regulation

Phishing and GDPR compliance

Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

SRM Blog