PCI DSS

Win a free day’s consultancy: October offer to celebrate National Cyber Security Awareness Month (NCSAM)

Security Risk Management is offering a free day’s consultancy in support of National Cyber Security Awareness Month.

October may, for many, be associated with the ghouls and ghosts of Halloween. But that is not all this month is about. It is also National Cyber Security Awareness Month. Like Halloween (in its current form) the NCSAM has its origins in the United States. Unlike Halloween, however, it focuses on keeping us safe from those who might wish to harm us.

In 2004 the US Department of Homeland Security and the National Cyber Security Alliance joined forces to create an initiative to educate and raise awareness of staying safe online. Its aim is to engage with and educate businesses, educational organisations and the public in how to build resilience and stay safe online. It is now recognised in the UK as an important way to remind everyone of the potential perils of cybercrime.

This year’s theme is ‘Our Shared Responsibility’ and this has relevance to the business community as well as the general public. Data breaches hit the headlines on a regular basis. Every time a company is exposed in this way it highlights the need for data security to be at the top of every board agenda. It cannot be the sole remit of the IT department or the Chief Information Security Officer (CISO). Its importance is so great that it ought to appear on board agendas every month, even if a sub-group then manages the implementation of compliance and security.

From phishing attacks which exploit human psychology to gain access to an individual’s log in and account details, to large scale Black Hat attacks by highly-organised cyber criminals, company-wide awareness is crucial to protection and defence. Increasingly, boards are becoming aware of their collective responsibility to provide additional resource and support for their information security teams. Outside expertise is an important aspect of this, particularly when it comes to testing a company’s defences.

Rather than waiting for a malicious attack from an unprincipled attacker, it is important to make use of the skills of experienced information security test teams. The very best include individuals with the Offensive Security Chartered Practitioner (OSCP) qualification. Unlike their counterparts with only theoretical knowledge of hacking, those with OSCP training have practical skills. Their rigorous training includes the requirement to be able to effectively hack a range of well-protected networks within a challenging timeframe. Through this process they get into the minds of the hackers themselves.

Those boards that are seen to be proactive will help to make their organisation less appealing to hackers. Those who have engaged with the best test teams will make the actual task of breaching security sufficiently difficult that hackers will look for easier prey. So let October be the month in which every board of every company in the UK prioritises data security and recognises its shared responsibility.

To win a free day’s consultancy, just leave your details on the Contact Us page. The prize includes:

  • Development of the information security risk profile of your organisation delivered by an experienced Information Security Consultant;
  • A prioritised roadmap to help you focus on the issues to fix now and suggested mitigation steps to help you manage key risks;
  • Where your organisation ranks on the GDPR maturity scale and the next steps you should take to be prepared for May 2018;
  • A scan of your website to uncover any significant security risks using our best of breed scanning tool;
  • Preparation for Cyber Essentials and a discount on obtaining certification.

This prize is worth over £1000 and will provide you with comprehensive insight of your organisations Information Security risk profile.

PCI – Europe Community Meeting Barcelona 24 – 26 October 2017

James Hopper and Paul Brennecker of SRM will be attending the Europe Community Meeting in Barcelona 24th – 26th October. Organised by the Payment Card Industry Security Standards Council (PCI SCC) the focus of the three day event will be the security of payment card data. Those who are attending are invited to make appointments with James and Paul to discuss any specific issues they may have and receive free advice from two of the industry’s experts.

James Hopper

James is skilled at providing strategic insight into the management and implementation of business-wide information security solutions. He is a clear-thinking no-nonsense problem-solver with wide experience in both the corporate and SME markets.

James joined SRM in 2016 and brings extensive senior management experience from within the worlds of Consultancy and IT. Previously with a large FTSE 100 Outsourcing Company as a Managing Consultant and the Operations & Innovation Director for a large NHS Organisation, he has overseen the scoping and implementation of plans from the very small to extensive national projects. His experience also includes delivery of major IT Transformation Programmes and senior assurance roles.

Paul Brennecker

Paul is a PCI DSS compliance guru. He regularly speaks at PCI conferences and writes on issues relating to card payment security. He is also a practising senior Information Security Consultant at SRM. He is currently engaged with a number of high-profile organisations, assisting them with their compliance programmes. Ranging from programme management, and mobilisation of their PCI DSS compliance projects, Paul also advises clients on their information security policies, their implementation and training requirements. Paul has considerable skill at conducting pre-compliance scoping and de-scoping exercises, conducting gap analysis assessments, creating remediation plans and assisting with intrusion detection and prevention systems.

Paul joined SRM in March 2008 from Barclaycard. As their former PCI Compliance Manager, Paul successfully drove the compliance programme forward and worked closely with both VISA and MasterCard to raise awareness of the standard and was a regular key-note speaker at the industry’s security forums. Due to his substantial network of colleagues and industry contacts Paul is a well-known and highly respected consultant, recognised for his approachable manner and depth of knowledge.

Simply email james.hopper@srm-solutions.com or paul.brennecker@srm-solutions.com to make an appointment.

US statistics warn of new trends in cybercrime: how a retained PFI can mitigate the risks

Statistics provide useful evidence of the trends developing within the world of information security. Figures compiled from reported attacks in the United States for July 2017 give us a breakdown of attacks sector by sector, providing some useful insight into the minds of cyber attackers and their motivation. As we all know, cybercrime is international and these trends are likely to be reflected in the UK in the coming months. The key figures from this latest research show an increasing trend towards attacks on individuals and an increase in the number of attacks motivated by crime.

In fact, the number of cyberattacks on individuals in the US doubled between June and July 2017. In June 14.1 per cent of recorded attacks were targeted at single individuals but in July this figure had increased to 27.5 per cent. Of course, this still means that other sectors account for nearly three quarters of all cyberattacks. Industry (26.1%), Government (8.7%), Healthcare (8.7%) and Finance (5.8%) were the other major targets.

As for motivation, that 84.1 per cent of attacks in July 2017 were motivated by cybercrime is no great surprise. The fact that this particular motivation has increased by 15.3 per cent since June, however, is worthy of note. Rogue individuals with the requisite skill set have long been attracted by financial reward, yet in the past Cyber Espionage, Cyber Warfare and Hacktivism figures more significantly in these statistics. So theft is on the increase.

What does this mean for UK businesses? Given that the trend is toward an increase in crimes on individuals it may not be obvious. But we have noticed a correlation between an escalation in individual attacks and a heightened awareness among the business community. This is perhaps due to the power of the media but also to the even greater power of word-of-mouth. Because when a businessman becomes aware that someone they know has had their account hacked, he or she will be more likely to look to their business’ online security.

As far as we are concerned, any news of this type is helpful. Because the fact is that cybercrime is on the increase. Whether it is the slow and subtle syphoning off of funds from an unsuspecting retailer or a massive much publicised hack demanding ransoms like the one inflicted on HBO, theft is nowadays more likely to be an online activity than a physical one.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. That is why increased awareness is always a good thing. The more businesses that retain an information security consultant to ensure their defences are robust, the fewer will be hacked. Those who trade online also benefit from a PCI Forensic Investigator (PFI) to protect their card payments.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We also provide a bespoke retained PFI service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a company’s systems, remediation is rapid and disruption minimal.

 

Summer holidays: don’t take your eye of the PCI DSS ball

The summer months are traditionally a time when hard-working people take a break. Those left in the office can end up feeling over-stretched or less-motivated than normal. But it is not a time for anyone to take their eye off the ball. Visa has issued new advice on how to Play it Safe this Summer, emphasising once again that working with the right partners is ‘crucial to protecting the cardholder environment’ and ensuring that PCI DSS compliance is met and maintained.

Produced for the US market, Visa’s analogy is based on the principles of baseball but it goes something like this:

First basefollow secure procedures

Ensure service providers follow secure procedures when using remote access to reach your environment. Service providers accessing a merchant’s Point of Sale (POS) system using remote access must follow secure procedures and those providers should go through the QIR certification program if eligible. This protects against data breaches and helps to facilitate compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Second base – change passwords

Change all default passwords to strong, multivariable passwords. The Verizon Data Breach Investigations Report (DBIR) found that 81% of breaches in 2016 occurred because criminals used either stolen and/or weak passwords. Requiring all employees to create complex passwords, and to change them often, adds a critical level of security to the environment.

Third base – ignore suspicious emails

Remind employees to ignore any suspicious emails and report them to IT. The DBIR found that 1 in 14 users were duped into opening an attachment from a phishing email and ‘95% of phishing attacks that led to a breach were followed by some sort of software installation’. Informing employees about phishing schemes will help prevent security lapses in the future.

Home run – partner with a Registered Service Provider

Partner with a Registered Service Provider. Soha Systems Survey on Third Party Risk Management found that 63% of all data compromises involve a third party vendor. Service providers listed on the Visa Global Registry of Service Providers meet Visa’s requirements for validating compliance with industry security requirements. Using these registered providers helps to secure the promise of a trusted payment system.

PCI DSS – seek professional advice

Establishing an organisation’s exact PCI DSS requirements can be a complex business and professional advice should be obtained.

SRM is an accredited QSA Company. Our team of QSAs can conduct your PCI assessment to validate and maintain your compliance with the PCI DSS. We have a wealth of experience in helping companies understand not only how to comply but how to reduce the scope to make compliance each year as simple as possible. From understanding how to complete the SAQ document right through to full PCI assessments for FTSE 100 companies, SRM has the qualifications and expertise to complete the task in a robust and cost-effective way. We also have an established Retained Forensics service which identifies and mitigates the risk of a potential breach.

http://blog.srm-solutions.com/hot-water-and-pci-compliance/

http://blog.srm-solutions.com/does-outsourcing-card-processing-make-you-pci-compliant/

http://www.srm-solutions.com/services/pci-dss/

http://www.srm-solutions.com/services/retained-pci-forensic-investigation-pfi-service/

Network intrusions are on the increase: time to engage a Retained Forensics specialist

This month Visa has reported an increase in the number of network intrusions involving service providers. It also reports increases in re-breaches of merchant payment environments and skimming incidents (July 2017). The company has therefore issued an alert to remind merchants of their obligations if a compromise occurs and to advise on the need to engage a Retained Forensics specialist.

It is not uncommon for card processors to send out emails warning of heightened risks. Yet it appears these are often overlooked in busy inboxes. In this instance, the warning is very real as card usage in the UK continues to rise.

The most recent statistics from Visa reveal that in April 2017 1,386 million purchases were made in the UK. That is a total spend of £58 million in one month alone and represents a number of ongoing upward trends including an overall increase in the usage of cards. Contactless payments now account for 30 per cent of total purchases compared to 16 per cent a year ago. It is not surprising that ingenious criminal minds are ramping up their activity in the card payment environment.

The message in Visa’s warning is that prevention is better than cure. If a suspected or confirmed data compromise occurs the PCI will compel the merchant to engage a PCI Forensic Investigator (PFI) at their own cost. If failure to protect the card environment is discovered, then fines are inevitable. In this instance the cost of mitigation together with the damage to a business’ reputation will be considerable.

Visa’s alert specifically mentions the recommendation to engage a Retained Forensics specialist to prevent a potential breach occurring in the first place. In today’s card processing environment, never has engaging a Retained Forensics team made better business sense.

This is where we come in. At SRM we are one of a handful of companies in the UK retained by the PCI to carry out PFI investigations. But we also offer a bespoke Retained Forensic service, which uses this expertise to proactively manage systems before an attack occurs. In this way, organisations can use our Data Forensic Investigations team to meet compliance requirements but also to build robust defences and test those strategies in a controlled manner, before the worst actually happens.

We do not recommend services or tools you do not need, preferring to use our extensive experience and understanding of the online retail world to set up a targeted plan of action and remediation which will keep your business compliant and as secure as it is possible to be. Given the persistence and resilience of cyber attackers there is a remote chance that a system might still be attacked. With a robust plan in place, however, remedial action will be swift, minimising financial and reputational damage. Demonstrating a proactive approach to protecting your customer’s data also puts you in a stronger position when dealing with acquiring banks or any other regulatory authorities.

Retained PCI Forensic Investigation (PFI) Service

SRM Blog