Page 31 of 40

PCI Speak: SHA Versus AES

In one of the more awkward consulting situation, I was sitting in a room where the technical lead of my client, along with his impressionable junior staffs started talking about Requirement 3 of PCI, which we all know is the mother of all inconvenience – Secure storage.

Obviously we reached a point where I was talking about strong encryption and recommended AES-256. The technical lead sagely says that he prefers SHA256 instead of AES. There was a slightly muted pause when he said that, and while his juniors all nodded equally sagely, I was caught whether to respond and possibly correct him in front of his juniors or just mutter an agreement.

You see, AES and SHA are fundamentally used for different things. One is used for hiding and encrypting, the other is used for verifying. SHA is a hash function like the old MD5, while a proper comparison of AES could be 3DES. SHA has no key. Once you SHA’ed it, it’s SHA’ed for life. AES can still be decrypted, and obviously there can be key management in place for it.

I decided to correct him, by saying that these are two different things altogether. However, he still insisted SHA could be used as an encryption. I am pondering on the day that he decide to SHA his entire database (if that can be done), and I guess we’ll have a very large number of hashes to verify with. We are still in discussion over this.

Over the course of MANY PCI-DSS projects, we have come across a fair bit of scenarios. From the shake-your-head unbelievable nonsense, such as the acquirer bank sending in full PAN over fax or email to our service provider, and then refusing to comply to PCI, to the often stated problem – we need to keep full PAN to identify the transaction so we can reconcile it later.

That last one is particularly grating. Because it forces our customer’s scope to be so large, so unnecessarily. One of the clients we are working with now, when asked, and asked and asked again, finally conceded that actually they don’t require Full PAN.

According to PCI Compliance 3rd Edition by Syngress:

Did you know that you only need four elements to uniquely identify any transaction in your enterprise, and one of those is not the full card number? These elements are as follows:

First six and last four (or just last four) digits of the card number,
Date and time of purchase,
Amount of purchase,
Authorization code.

Customers who have used this method have never reported that two transactions matched these elements identically but had different card numbers.

I’ve always been saying that from day one. You don’t need full 16! The reason why people insist on it is that they or the service provider or the developers are just too lazy to change primary reference key to incorporate several parameters to identify a unique record. It’s laziness. So instead they take the most unique key and just use it, forcing compliance that could have easily been avoided. Unless you are an issuer or acquirer, you technically can avoid painful compliance controls if you just STOP obsessing over storing PANs!!

PDPA Data User Classifications

Almost a year in since PDPA was enforced last year, we are still faced with slow adoption by many of our clients. We are still getting questions on whether they need to ‘register’ or not, and if they don’t, they assume they are exempted from the Act.

Registration and compliance are two different matters. Registration applies to the 11 categories of industries, while compliance applies to every organisation dealing with personal information for commercial purpose, including HR.

As for easier reference, the data user classifications and details, once more, as follows:

Class Description
Communications Licensees under the Communications and Multimedia Act 1998

Licensees under the Postal Act 2012

Banking and Financial Institutions Banks and investment banks licensed under the Financial Services Act 2013

Islamic banks and international Islamic banks licensed under the Islamic

Financial Services Act 2013

Development financial institutions under the Development Financial Institution Act 2002

Insurance Insurers licensed under the Financial Services Act 2013

Takaful operators and international takaful operators licensed under the

Islamic Financial Services Act 2013

Health Licensees, and holders of a certificate of registration of a private medical clinic or a private dental clinic, under the Private Healthcare Facilities and Services Act 1998

A body corporate registered under the Registration of Pharmacists Act 1951

Tourism and Hospitality Persons carrying on or operating tourism training institutions, licensed tour operators, licensed travel agents or licensed tourist guides under the Tourism Industry Act 1992

Persons carrying on or operating a registered tourist accommodation premises under the Tourism Industry Act 1992.

Transportation Malaysian Airlines (MAS), Air Asia, MAS Wings, Air Asia X, Firefly, Berjaya Air and Malindo Air
Education Private higher educational institutions registered under the Private Higher Educational Institutions Act 1996

Private schools or private educational institutions registered under the Education Act 1996

Direct Selling Licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993
Services Companies or persons in a partnership carrying on businesses in connection with legal, audit, accountancy, engineering or architecture services ;

Companies or persons in a partnership conducting retail dealing and  wholesale dealing as defined under the Control Supplies Act 1961;

Companies or persons in a partnership carrying on the business of a private employment agency under the Private Employment Agencies Act 1981

Real Estate Licensed housing developers under: the Housing Development (Control and Licensing) Act 1966; the Housing Development (Control and Licensing) Enactment 1978, Sabah; and the Housing Development (Control and Licensing) Enactment 1993, Sarawak.
Utilities Tenaga Nasional Berhad, Sabah Electricity Sdn Bhd, Sarawak Electricity, Supply Corporation, SAJ Holding Sdn Bhd, Air Kelantan Sdn Bhd, LAKU Management Sdn Bhd, Perbadanan Bekalan Air Pulau Pinang Sdn Bhd, Syarikat Bekalan Air Selangor Sdn Bhd, Syarikat Air Terengganu Sdn Bhd, Syarikat Air Melaka Sdn Bhd, Syarikat Air Negeri Sembilan Sdn Bhd, Syarikat Air Darul Aman Sdn Bhd, Pengurusan Air Pahang Berhad, Lembaga Air Perak, Lembaga Air Kuching and Lembaga Air Sibu.

PCI-DSS Quick Check

Next week will be a busy week for us. We have two big customers going for 1st time certification, and re-certification respectively for PCI-DSS. The 1st time cert will be doing PCI v3.0 while the second customer will be doing PCI v2.0. It should be a very interesting and busy time.

Anyway, I have been going through with them respectively on all the aspects of PCI-DSS certification. Here’s just a quick refresher on some parameters that systems need to be configured with:

Activity Parameter
Session Timeouts (inactivity) 15 minutes
Lockout User 6 Attempts
Lockout Duration 30 Minutes
Password History Prohibition 4 Previous Passwords
Minimum Password Length 7 Alpha Numeric Characters
Vendor/Guest access to Secure Area 1 Day
Review of logs 1 Day
FIM – Changes in critical files/system and application executable file Weekly
Install vendor patches upon release Within Monthly
Address critical vulnerabilities Within Monthly
Remove inactive user accounts 90 Days
Change password 90 Days
Logs availability 3 months online, 12 months offline
Address non critical vulnerabilities Within 3 months
CCTV video storage of secure room access Minimum 3 months accessible
Wireless Access Scan Quarterly
Network Vulnerability/ASV Scan Quarterly
Firewall review and router rule sets Half Yearly
Test terminated users to ensure deactivation Half Yearly
Penetration testing for application and network Annual
Review security for offsite backup storage Annual
Inventory media (req 9.9.1) Annual
Risk Assessment Annual
Training Awareness Annual
Acknowledgement of personnel of policy and procedures Annual
Monitor Service Provider Compliance Annual
Test Incident Response Plan Annual
Review, Document and Validate Compensating Controls Annual
« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑