Category: PCI-DSS (Page 19 of 20)

PCI Professional (PCIP) Certification and Training

I completed the PCI Professional Certification (PCIP) today. It wasn’t very difficult actually, but this is coming from a guy who has gone through more than a dozen projects for PCI-DSS for clients ranging from merchant, service provider and bank, doing gap assessments, implementation and coordinating certification with our partner QSA. So yeah, I found it OK, but that’s not to say the other guy might find it so. The questions are really taken from the PCI 12 requirements, and our understanding of it. There are a bit of PTS, P2PE and PA-DSS, but the bulk of it is really in the implementation of PCI in an organisation. It’s a good exam for someone wanting to know more of PCI and needing some good security foundation, but I’d say the QSA cert would be better. Unfortunately it’s not available for me, so PCIP it is then.

In order to be a PCIP, you need to obviously pay for the exam – right now it’s a whopping USD1390. Last year, it was just about USD995. I should have taken it, but the joys of procrastination has no end. You can have an optional training online as well, but for me, since I have been eating and drinking PCI – and also training my clients as well – USD1390 was plenty enough. Once done, we need to submit our CV to PCI-SSC for them to see whether we are….well, qualified. I don’t know what is non-qualified – do they require some sort of years of service etc? I don’t know, because they responded I was fine and time to set my exam with VUE at any exam center. This is really convenient, because I have an exam center like 5 minutes walk from my home.

So what next? We are planning to start our PCI training program next month. I noticed a lot of my clients are in need of understanding of PCI, and what better than to tie up our program with PCIP? Stay tuned!

 

PCI Speak: SHA Versus AES

In one of the more awkward consulting situation, I was sitting in a room where the technical lead of my client, along with his impressionable junior staffs started talking about Requirement 3 of PCI, which we all know is the mother of all inconvenience – Secure storage.

Obviously we reached a point where I was talking about strong encryption and recommended AES-256. The technical lead sagely says that he prefers SHA256 instead of AES. There was a slightly muted pause when he said that, and while his juniors all nodded equally sagely, I was caught whether to respond and possibly correct him in front of his juniors or just mutter an agreement.

You see, AES and SHA are fundamentally used for different things. One is used for hiding and encrypting, the other is used for verifying. SHA is a hash function like the old MD5, while a proper comparison of AES could be 3DES. SHA has no key. Once you SHA’ed it, it’s SHA’ed for life. AES can still be decrypted, and obviously there can be key management in place for it.

I decided to correct him, by saying that these are two different things altogether. However, he still insisted SHA could be used as an encryption. I am pondering on the day that he decide to SHA his entire database (if that can be done), and I guess we’ll have a very large number of hashes to verify with. We are still in discussion over this.

Over the course of MANY PCI-DSS projects, we have come across a fair bit of scenarios. From the shake-your-head unbelievable nonsense, such as the acquirer bank sending in full PAN over fax or email to our service provider, and then refusing to comply to PCI, to the often stated problem – we need to keep full PAN to identify the transaction so we can reconcile it later.

That last one is particularly grating. Because it forces our customer’s scope to be so large, so unnecessarily. One of the clients we are working with now, when asked, and asked and asked again, finally conceded that actually they don’t require Full PAN.

According to PCI Compliance 3rd Edition by Syngress:

Did you know that you only need four elements to uniquely identify any transaction in your enterprise, and one of those is not the full card number? These elements are as follows:

First six and last four (or just last four) digits of the card number,
Date and time of purchase,
Amount of purchase,
Authorization code.

Customers who have used this method have never reported that two transactions matched these elements identically but had different card numbers.

I’ve always been saying that from day one. You don’t need full 16! The reason why people insist on it is that they or the service provider or the developers are just too lazy to change primary reference key to incorporate several parameters to identify a unique record. It’s laziness. So instead they take the most unique key and just use it, forcing compliance that could have easily been avoided. Unless you are an issuer or acquirer, you technically can avoid painful compliance controls if you just STOP obsessing over storing PANs!!

PCI-DSS Quick Check

Next week will be a busy week for us. We have two big customers going for 1st time certification, and re-certification respectively for PCI-DSS. The 1st time cert will be doing PCI v3.0 while the second customer will be doing PCI v2.0. It should be a very interesting and busy time.

Anyway, I have been going through with them respectively on all the aspects of PCI-DSS certification. Here’s just a quick refresher on some parameters that systems need to be configured with:

Activity Parameter
Session Timeouts (inactivity) 15 minutes
Lockout User 6 Attempts
Lockout Duration 30 Minutes
Password History Prohibition 4 Previous Passwords
Minimum Password Length 7 Alpha Numeric Characters
Vendor/Guest access to Secure Area 1 Day
Review of logs 1 Day
FIM – Changes in critical files/system and application executable file Weekly
Install vendor patches upon release Within Monthly
Address critical vulnerabilities Within Monthly
Remove inactive user accounts 90 Days
Change password 90 Days
Logs availability 3 months online, 12 months offline
Address non critical vulnerabilities Within 3 months
CCTV video storage of secure room access Minimum 3 months accessible
Wireless Access Scan Quarterly
Network Vulnerability/ASV Scan Quarterly
Firewall review and router rule sets Half Yearly
Test terminated users to ensure deactivation Half Yearly
Penetration testing for application and network Annual
Review security for offsite backup storage Annual
Inventory media (req 9.9.1) Annual
Risk Assessment Annual
Training Awareness Annual
Acknowledgement of personnel of policy and procedures Annual
Monitor Service Provider Compliance Annual
Test Incident Response Plan Annual
Review, Document and Validate Compensating Controls Annual

MPSB is PCI-DSS Certified!

What started out as a simple enquiry in 2012 turned into a full fledged PCI-DSS Level 1 project for Manage Pay Services Berhad (MPSB), one of our success stories in PCI-DSS compliance. MPSB was one of our first client together, and while the follow ups and clarifications took some time, we once again demonstrated the value of client relationship and customer closeness that sets our service apart. With PKF, and working with the QSA vendor Control Case, we are just a call, just a drive away. With additional value added services like update talks, training, technical services and consultancy, we definitely gave MPSB more than they bargained for. It was precisely this working relationship between MPSB, our local team of PCI consultants and the QSAs from India that made this project a resounding success. It was indeed with great pride that in 2014, less than a year from our gap assessment, that we can say: it was a great journey, and now it continues on through maintenance and yearly review.

PCI-DSS can be an extremely arduous project, as it touches major parts of the business and is oftentimes more than 5 – 6 months. Due to this, we have specialised Project Management Professionals (PMP) doing PCI based projects for banks and large enterprises. For more details, drop us an email at avantedge@pkfmalaysia.com. We will contact you immediately and set you up on your compliance journey.

« Older posts Newer posts »

© 2025 PKF AvantEdge

Up ↑