LearnSecurity Blog

Home
About
Services
- Audit
- Tax
- Accounting
- Information Systems
- PCI Services
  - PCI-CP
  - PCI-WAS
  - PCI FAQ
  - PCI-CS
  - PCI-CR
  - PT
Qualifications
Resources
Careers
Contact
- Map

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.

Here is a question from a reader:

"There has been a lot of confusion on what the actual date of when Cities have to be in compliance before we get charged the crazy fee of $10,000 per day? I heard it was December 31, 2010. But there has been rumors going back and forth. Can you please help clarify this for us? Thank you,"

VT,

I am not sure of the context but based on the date, I think they are talking about MasterCard's deadline for level 1 & 2 merchants to have a QSA audit. This would not affect most cities.

However, technically they must be compliant with PCI DSS (Data Security Standard) now. Additional fines come if there has been a breach and the City is not compliant with PCI DSS. The way it works is for each level of merchant (Levels 1-4) the Credit Card Companies (Visa, Master Card etc..) charge merchant banks (BofA, Wells Fargo, etc…) for any of their Merchants (i.e. Cities) that are not compliant. Most Merchant Banks pass the fees on to their merchants. This has happened for levels 1 & 2 merchants and is in the process of being rolled out for level 3 merchants. Most Cities are level 4 merchants.

Now this is per card brand as well. So Visa may change a bank x amount of dollars while Master Card charges y. This $10,000 fee could also be coming from a merchant bank. I would think only for level 1 and 2 maybe level 3 merchants.

Here is a list of some of the fees related to PCI and who typically is involved.

The Card Brands (Visa, MasterCard, Discover, etc) charge a fee (sometimes called a fine) to each Merchant Bank (aka Acquirer or acquiring bank) a fee based upon the number of merchants they report that are not compliment at each of the different merchant levels (1-4). This fee is not disclosed publically and is different for each merchant bank. The Merchant Banks typically pass this on to their merchants as a PCI fee of some sort. I have seen it called all sorts of things. There are different deadlines for each level merchant.

There are fines a merchant must pay if they have had a breach:

There is a per day fine that is $5,000-25,000 for every day you don’t report the breach.

The Merchant is responsible for the cost of the forensic audit that is used to determine how the breach occurred.

The Merchant is responsible for any card holder losses. Typically the Merchant also pays for credit monitoring for affected customers.

The Merchant Bank will pass on any of their losses related to the breach to the Merchant.

The Merchant who has had a breach is moved to a level 1 merchant and is then responsible for annual PCI audits.

As for deadlines, there are many of them and all for different things. Such as using approved applications and approved devices.

Without the source, I am not 100% sure what they are talking about. They could be talking about any of this. I also think the great misconception people have is that they don’t have to be compliment yet. Every merchant has to be compliant now. Most of the deadlines are for rolling out additional requirements. Most Cities are behind the 8 ball on this one.

If you have further questions give me a call.

Donald E. Hester

Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.

RSS Subscription

FaceBook Group

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

ACH Fraud on the Rise

FBI released a warning for local governments and small businesses to be on the lookout for ACH fraud.

The FBI issued a press release concerning a significant increase in the last few months of fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts. The scam is a type of phsihing attack, whereby the unsuspecting finance person is lured into installing malicious software. The malicious software hides itself and records everything the person does on their computer. The malicious software will record user names and password used for everything including online banking and ACH. The software will then forward the usernames and passwords to the bad guys who will promptly use the information to transfer funds out of the organization’s bank account.

This new news is there is an increase in incidents, not the method of attack. In April of 2007, the City of Carson California was a victim of the same type of attack. The hackers were able to transfer $498,000 before the bank froze the account.

Local municipalities and small businesses are easy targets for hackers. Hackers know local municipalities and small businesses have little or no IT security budgets or staff with the necessary skills.

How do you protect your organization?

The Federal Government has recommended that state, local and tribal governments adopt National Institute and Standards and Technology (NIST) security guidelines. Recently NIST added guidance for small businesses as well, including video tutorials.

Following these guidelines and standards will not make an organization 100% secure. However, they go a long way in preventing these types of attacks. In fact, if an organization followed these NIST guidelines they would most likely will not fall victim to these attacks.

For more information:

FBI Press Release

http://www.fbi.gov/pressrel/pressrel09/ach_110309.htm

Small Business IT Security Guide

http://csrc.nist.gov/groups/SMA/sbc/index.html

http://www.csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

NIST Special Publications

http://csrc.nist.gov/

http://www.csrc.nist.gov/publications/PubsSPs.html

Donald E. Hester

RSS Subscription

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

A Prioritized Approach for Compliance

A recent trend in the information security industry has been the concept of a prioritized approach to implementing security controls and standards. With any of the standards or compliance requirements (FISMA, SOX, HIPAA, NIST, GLBA, ISO and PCI) it can be difficult for organizations to meet all of the requirements. All organizations have limited time and resources and are forced to choose to implement as many measures as possible and leave some undone.

The current economic situation is increasing pressure to cut budgets which in turn furthers the lack of resources available to protect information and systems. Organizations are often left wondering where they can cut or hold off implementation of security controls. With increasing requirements and finite resources something is going to have to give.

In order to find out what security measures can "wait" we need to determine the risk of not having the control in place has for our organization. We can determine the risk by researching recent attack patterns. We can then determine which attacks are most likely and which controls are most likely to prevent those attacks. We should look at the probability or likelihood of the attack and the impact of the attack on the organization. We can chart the results out into a four quadrant graph and rank each vulnerability as High, Moderate or Low. See the simple chart below.

Based on risk we can now determine which controls are "most" important now. This does not get the organization off the hook for any compliance standards because typically all the controls in the compliance standard are compulsory. A prioritized approach will make sure the organization is spending time and resources where they are needed most and will lead the organization down the path of compliance.

For example, in the news has been an increase in SQL Injection attacks on websites. We could rate this as high for probability based on the increase in this type of attack and the ease to which it can be executed. We also know that SQL Injection attacks have been widely successful in compromising millions of records containing personally identifiable information. We can rate the impact as high based on the millions of records lost and the millions of dollars organizations have spent dealing with these data breaches. Controls that can prevent such attacks should be given a top priority and organization should increase testing of those controls.

Recently the PCI Standards Council and the National Institute of Standards and Technology released guidance on implementing a prioritized approach to implementing their respective standards. These approaches recognize the limited resources of organizations and focus on implementing the most crucial controls first and continue on to implement the remaining controls. This does not mean an organization is PCI or FISMA compliant; it simply addresses the reality of limited resources.

A prioritized approach to implementing information security will not lead you to compliance today, it will however, ensure the organization focuses its resources where they are needed the most and where they will do the most good.

Donald E. Hester

RSS Subscription

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.