PKF AvantEdge

Category: PCI-DSS (Page 17 of 20)

ASV scans – who needs it?

January 22, 2016 / / 0 Comments

One of the often asked questions we face after dealing with PCI-DSS (Payment Card Industry Data Security Standards) for the past 5 years is also often the simplest. Who needs to do ASV scan?

ASV stands for Approved Scanning Vendors. These are the guys that has been approved to do public scans for PCI clients, by the PCI-SSC (that’s like the Jedi council made up of Master Card and his minions.) Anyway, the ASV scans apply only on external facing IP addresses IN SCOPE.

This is very confusing, because often, our clients will give us a small set of IP, or either a gargantuan set of IPs like 10.x.x.x (yes, that’s an internal zone, so that’s where the education begins), or some give us their entire C class of their ISP.

Technically, the scope is defined by the merchants or service provider (NOT the ASV or QSA). However, if you are undergoing a full PCI program, we will obviously have more knowledge on your network and we can help you define your scope appropriately. Else, if you are a cold call ASV client, we will generally rely on your scan scope provided to us and scan those IP or IP ranges. We prefer you to provide us a set of IP host address, although we can technically do a network range, but the pricing might vary more.

So who needs to do it?

Anyone undergoing PCI.

Who has a public IP address. This includes not just servers, but routers, VPNs, network devices and even POS devices. If you are an ecommerce company, then you will likely have public IP address. If you are a retailer and using IP based POS, then these need to be included. If you have DNS, mail servers that belong to you, then those need to be included.

Whether you are a level 1 merchant or a level 4 merchant, whether you are a level 1 or 2 service provider – you need the ASV scan. The only companies that don’t require it are companies who have no internet capability. This is rare, but lets say a mom and pop grocery store who uses dial up POS provided by the acquirer or a knuckle buster.

Else, if you are undergoing PCI, you best get ready for the ASV scan.

So to summarise the process:

a) Define which addresses are in scope and are PUBLICLY assessible. His includes any IPs that are filtered by firewall.

b) Provide these IPs to the ASV vendor and the ASV will provide a range of source IPs to whitelist. We get some questions: why do we need to whitelist? Why can’t you guys just do the testing without whitelisting? Because ASV scans are not expensive, and we need to get it done fast, so we generally don’t have time to 100% simulate a slow burn attack that most actual attacks might face, who can afford to do that because they are not charging you and they are actually trying to get in.

c) Allow the ASV to do their job. We often get clients giving us like 20 IP addresses, ask us to scan and n half a day demand for a report. Here is the difference between those peddling free unlimited ASV scans vs actual ASV scans = the free unlimited scans do not come with manual verification of findings. So you get say 40 vulnerabilities listed in a colorful chart – you generally need to go through these 40 and address them one by one (whether its an actual vulnerability of not!). For us, we take a few days to plow through the vulnerabilities and remove the false positives by doing a manual verification process, which might include manually checking if, say the system is actually providing an actual information, or it could just be a fingerprinting of OS that got screwed up. That way, we can hash that 40 down to say 10 or less, and makes it less of a chore for you. So beware of ‘Free’ ASV. Nothing in life is Free. Except sunlight and air. And that too is being charged in some countries.

d) Once its done, we release a preliminary report and go through with you what needs to be done. Generally all medium – high issues need to be addressed. In most cases we see are SSL related issues. If it is, good news is that you can move your mitigation plan to June 2018 and buy some grace period. All we require is a formal mitigation plan and we will pass the ASV.

e) ASV needs to be done every quarter.So technically, your ASV report has an expiry (of 3 months from the scanned date). But in some instances, ASV providers such as Control Case allows you to define the quarter in a more precise term. The moment the PO arrives to us, we start counting the quarter. For instance, if it starts today (say date X), then the first quarter will end 3 months from today (say, date Y). You can scan at ANY time in this quarter and it will be good up to the date of Y. So technically, you can scan right at the end of the first quarter (pass Q1) and immediately when you go into Q2, start scanning for Q2. Depending on your ASV provider, your mileage may vary but we’ve worked with a few before and it seems to be a pretty consistent interpretation of quarters.

The ASV scan is by far, one of the least complicated things in PCI. However, don’t underestimate the effort. We had clients who thought one week was plenty enough to do ASV and they missed their quarter scan because we need CLEAN results. If we cannot get clean results (all medium-high issues solved), we cannot pass the ASV. If we cannot pass within the deadline, you miss your Quarter and there is no turning back. It will cause you to have  problem when you re-certify for the coming year for PCI-DSS.

Good luck, and start early!

PCI-DSS Landscape in Malaysia

August 21, 2015 / / 0 Comments

pci-compliance

2014; this was the year where PCI DSS really took off for many companies and organisations in Malaysia. More and more banks have pushed their merchants to be compliant and certified with PCI DSS.  While a few merchants require Level 1 certification or Level 2 validation, a bulk of them will fall under Level 3 and Level 4 Merchants. That means a lot of ASV scans, and a lot of Self-Assessment Questionnaire (SAQ) Advisory. I was asked this question: why are these banks, who are traditionally so dormant and make corporate decisions slower than a crippled sloth, half blind and halfway to the grave, now have suddenly become so actively engaged in PCI DSS? Perhaps this is due to the pressure they get from the card brands – especially VISA and MasterCard.

After what happened to the infamous Target retailer during the 2013 – 2014 and other high profile hacks, card brands are now in caution mode and have become more stringent to entities connecting to them. This, in line with the new PCI-DSS V3.1 means that controls are more stringent and auditees are more frustrated. Like everything in PCI – it’s a top down domino effect – VISA insists on banks being certified – banks claim that they cannot be certified but they are in the process, and they in turn insist their third party processors or merchants be compliant. I call this ‘passing the buck’ philosophy. It’s an open secret that no banks in Malaysia are certified. They will claim they are compliant, the same way my 25 year old refrigerator is compliant to green and environmental friendly regulations. It’s not.

Because banks push this compliance downstream, this “passing the buck” effect has caused many entities to start actively looking in every direction to be certified or compliant because they don’t want to lose connection with the bank. Is it fair? As one of our merchant client bluntly puts it: “It’s like being blamed by tobacco companies for polluting the planet with our smoking.” While drawing in a long drag on his Marlboro Lights and looking wistfully into space.

Should banks be certified? Of course.

However, for them to get certified in a specified period of time is difficult due to their ever changing business nature and an overly large scope of systems, people and processes under PCI requirements. Therefore they will need more time to remediate all the gaps and guess what – one of gaps would invariably be getting their third parties (like my client with his Marlboro Lights) certified.

At the end, the service providers and merchants and payment gateways are forced to be more aware that PCI is needed for them to ensure the continuity of their business especially if it involves VISA and MasterCard. So why aren’t they getting certified?

The answer lies in the implementation cost. Smaller to medium merchants, emerging payment gateways who have limited funds, limited clients – they might consider that the cost of them to pay for any breach is lower compared to certification. For example the need for an IDS/IPS (Intrusion Detection/Prevention System), the need for a system logging server, the need to perform daily log review and review reports.  All of these require either additional effort or cost in terms of time, human resource or investment to acquire new devices.

With problems, there will always be solutions. We are keenly aware not all clients can afford the expensive solutions such as having separate devices for IDS, FIM (File Integrity Monitoring), syslog and etc. Or to build a Security Operation Center ground up. We have crafted out different solutions to serve our customer’s needs, from providing an all in one system for compliance to even having them outsource their compliance headache to us. Yes, we love to transfer headaches from clients to ourselves. We call our solution PCI Panadol. Just kidding, but it’s a great name.

Our solution starts with this question: How do we get you compliant with the least effort, least time and least money possible – and to maintain compliance with these 3 LEASTS (effort, time, money)?

Overall, awareness of PCI DSS has grown a lot in Malaysia. PKF Avant Edge does monthly PCI Awareness training (HRDF Claimable) and we have served large clients through such training.  As for implementation, it is just as important to know what is UNNECESSARY for PCI than what is necessary. It starts with the scope. Start right, and you might just cross the other side of certification and celebrate with a party. Start wrong, and you are looking at a very, very, very long journey with very little happiness in it.

For PCI scoping or advisory on how we can help you in your PCI-DSS journey, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Wafiy Karim, PCI Consultant.

PCI-DSS Applicability to Hosting Providers and Data Centers

July 12, 2015 / / 0 Comments

MDCA-final_FINAL-logo-300x199

Recently I was invited to speak in the quarterly meeting for the Malaysian Data Center Alliance (MDCA) regarding the applicability of PCI-DSS to their business.

More and more we are getting questions from traditional data center and hosting businesses on whether they should go for PCI-DSS and whether we can help them.

Here’s a quick FAQ for these businesses:

a) Why do Data Centers need PCI?

Actually – you don’t. PCI-DSS is applicable to businesses dealing with payment card data – storing, transmitting and processing. These are probably your clients – and in general, where they need to be PCI certified, they want to ensure their ‘providers’ – such as yourself – are certified as well.

The pressure for compliance does not come from the payment brands for data centers – instead in almost all cases, they come from the customer themselves.

b) So what benefit do I get from PCI?

The move of hosting providers to become PCI compliant is in parallel to the move of businesses to offload their servers and infrastructure to the ‘cloud’, or to third party providers to host their applications. The cost savings vs building their own data centers from ground up makes sense to most entities, except for large payment companies and banks. Even so, some of these larger entities will outsource their disaster recovery site to a third party – and if they deal with credit card, then that DR site needs to be compliant as well.

c) So should I be spending money on this compliance?

From a data center perspective, there is no direct requirement to be PCI compliant. However, if their customer is going for PCI-DSS compliance, and the data center is NOT compliant, then the data center is obligated to participate in the customer’s PCI program. While this might be manageable for a small group of customers, the idea of managing multiple customers projects and participating in such projects over the long run is not feasible. Therefore, more and more data centers and hosting providers are moving to become ‘PCI Certified’ themselves. Doing so, basically requires them to just show their certificates to their clients instead of participating in their individual compliance programs. Some of the largest success stories of PCI certified hosting/infra are Amazon Web Services and Microsoft Azure Trust Center.

d) SO…how much will it generally cost?

This is very subjective because even hosting providers and DCs have scope. However, the general rule of thumb is that the less visibility you have on card data and less services you offer, the less it will cost. For instance – if a data center only offers M&E and Physical room for client. This against another data center that offers those AND an internet gateway to get out and IPS/IDS, firewall etc. The latter DC will be up against Requirement 1, requirement 3, requirement 9 and other related requirements, while the first one will probably just need to deal with Requirement 9. You could be looking anywhere between RM30K – RM40K for the entire compliance program. (Gap, Remediation, Certification, Scans etc)

This might sound like an awful lot, but the whole program consist of two assessments from QSA (Gap and Cert) and a whole lot of other services during remediation. A typical onsite security assessment is around 18 – 20K already from any of the big 4 firms. And they usually just send their juniors who are just out of college and generally still staying with their parents. Here you get a full fledge QSA and director or senior management level guys supporting the audit. We take it extremely seriously, and we don’t send out pencil pushers with a little checkbox and hardly a stubble under their chin. Penalty for PCI is very very serious and we need to ensure all our clients get the best possible support.

e) Are you open for a quick meeting onsite?

Of course. Drop me an email at pcidss@pkfmalaysia.com and we will get working on it!

MPSB is re-certified as PCI v3.0!

May 30, 2015 / / 0 Comments

logo_mpsb

Congratulations to ManagePay Services Sdn Bhd for re-certifying under PCI v3.0. They are the first among our clients who achieve V3.0!

PCI v3.0 maintained the 12 main requirements from PCIv2. PCI DSS v3.0 is effective January 1st 2014, but organisations are given the choice to comply to either v2 or v3 in 2014. All certifications in 2015 (MPSB included) is certified under v3.0. Under v3.0 however, major changes include:

a) Testing of segmentation adequacy through penetration testing

This determines whether segmentation had been done properly. We have seen many implementation where ‘segmentation’ was supposedly implemented, but we found that route between network had unfiltered access between zones. This will ensure whether CDE is properly isolated from non-scoped access.

b) Validation of 3rd party providers

PCI-DSS compliance must be validated if card holder data is being shared out to 3rd party providers. This is either through their own AOC (like AWS), or an agreement to participate in the customer’s PCI program.

c) Business as Usual

By far, this is the most challenging to us. Most of organisations undergoing PCI-DSS struggle in the second and third year re-certification as they need to demonstrate compliance in everyday activities and not just during audit period.

d) Protection of POS

Most of the issues of recent times like Target are due to POS Malware exploitation.V3.0 requires companies to maintain inventory and maintaining POS from being tampered with as well as periodic training.

Of course, v3.0 covers a lot more than these. For a more detailed look at PCIv3.1 and how it affects your organisation, you can contact avantedge@pkfmalaysia.com. Or you can join our monthly PCI training, which is HRDF claimable, the latest schedule is at http://www.pkfavantedge.com/training-programs/.

« Older posts Newer posts »

© 2025 PKF AvantEdge

Up ↑