Does PCI Apply to me? Store Process Transmit

Lots of people ask this, so it must be time to blog it.  ”Does PCI apply to my company?”  Ask yourself three simple questions, do you:

• STORE Credit Card data.
  There is no reason to extoll the virtues of ensuring that if someone stores your data, you want it to be done safely.
• PROCESS Credit Card data.
  If you touch CHD (Cardholder Data, the term the ‘industry’ uses), in any way shape or form, you are a liability to the safety of that data.  (If you disagree, leave your buddy’s daughter unattended with your credit card at a shopping center.  She is only ‘temporarily in contact’ with it)
• TRANSMIT Credit Card data.
  We need not extoll the virtues of attacking valuable or sensitive data in transit.

So, if you pretty much do anything with Credit Card data, the Payment Card Industry probably cares that you are handling their data safely- it keeps the cardholders happy.

Now, let’s say that a company *does not touch* the CHD.  At all. For all payment activity, the company pretty much outsources (if not ALL of) the payment processing to a ’service provider’… what does PCI say about that?

PCI Requirement 12.8, “If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

1. Maintain a list of service providers.
2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
3. Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
4. Maintain a program to monitor service providers’ PCI DSS compliance status.

Making it SIMPLE, if a company is in any way involved with Credit Card data, they need to be sure that those interactions align to the security requirements they are legally bound to (you might want to start with that PCI DSS stuff)

For ultimate clarity, go to the ‘Acquiring Bank’- a banking institution must ultimately accept responsibility for any risk presented by the transactions they receive from business partners (like the merchants that pay them to convert credit transactions into cash).

FINAL THOUGHT: Even if payment channels are outsourced, your online store, or you have completely eradicated any form of contact with the ‘actual credit card data stuff’- you may want to look at the Self Assessment Questionnaire stuff.  If the company that processes CC data ‘for your company’ is hacked wide open, your company will still get the free press for getting hacked (even though you may not be paying the fines).  (c’mon, if you outsource your CC processing, and they get hacked, you aren’t getting my business till you fix that…)

In all seriousness, PCI has evolved.  Go check out the options for companies that see little, if absolutely no credit card data.

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

12.8.1 Maintain a list of service providers.

112.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 Ensure there is an established process for engaging

service providers including proper due diligence prior to engagement.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

12.8.1 Maintain a list of service providers.

112.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 Ensure there is an established process for engaging

service providers including proper due diligence prior to engagement.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.

OWASP PCI Project

OWASP PCI Project :: Introduction and Call for Participation!

We are formally introducing the OWASP PCI Project to the Web Application Security community! The industry needs a workspace for PCI QSAs* and Application Security experts to work constructively together – the OWASP PCI Project will serve as the platform in building community consensus. 

The PCI Project drives focused discussion and awareness, promoting a thorough understanding of how to ensure safety in online payments.  Our mission is to:

• Make payment application security requirements achievable,
• QSA perspective and audit points accessible,
• A unified and mutually agreed upon approach to secure payment applications, and sustainable compliance

The scope of this group will ultimately extend beyond PCI, becoming a scalable software risk management framework for other regulations.  By focusing on managing risk – we are ensuring web sites, applications, and web enabled software of any type are secured the right way (and making compliance a natural and sustainable byproduct).

Now is the time to get involved!  Visit the project site and sign up!   We are starting to build the project roadmap, we need YOUR help in framing this project!

Proposed projects include:

• PCI Application Security Scoping Guidance,
• Application Security Development Guidance,
• PCI Application Security Auditor’s Playbooks,
• More to come!

OWASP PCI Project : http://www.owasp.org/index.php/Category:OWASP_PCI_Project

* QSAs are Qualified Security Assessors- the individuals responsible for performing onsite audits and interpreting the PCI standard)

Benchmarking Application Security Expertise!

In protecting websites, we know there is a very serious need for expertise.  What is the best way to communicate that?  Certifications are one of the only routes to establishing a benchmark for expertise in this fast paced technology driven industry.  Application security experts are in high demand- this is even called out in some of my favorite guidance language:

“individual(s) must have the proper skills and experience to understand the source code and/or web application, know how to evaluate each for vulnerabilities, and understand the findings. Similarly individuals using automated tools must have the skills and knowledge to properly configure the tool and test environment, use the tool, and evaluate the results.”

Prior to now, there was only one route to really demonstrate your expertise, the CSSLP.  I am proudly submitting my latest certification for those hard earned CPEs- this cert is very relevant to today’s security landscape- I am now a certified Application Security Specialist!

Certified Application Security Specialist

I would encourage you consider pursuing this designation with the Institute for Certified Application Security Specialists.  This type of designation will give your team that edge when engaging the ‘proper skills and experience’ debate with your auditor (or in your next interview!)