Tag: PCI-DSS (Page 10 of 10)

ASV scans – who needs it?

One of the often asked questions we face after dealing with PCI-DSS (Payment Card Industry Data Security Standards) for the past 5 years is also often the simplest. Who needs to do ASV scan?

ASV stands for Approved Scanning Vendors. These are the guys that has been approved to do public scans for PCI clients, by the PCI-SSC (that’s like the Jedi council made up of Master Card and his minions.) Anyway, the ASV scans apply only on external facing IP addresses IN SCOPE.

This is very confusing, because often, our clients will give us a small set of IP, or either a gargantuan set of IPs like 10.x.x.x (yes, that’s an internal zone, so that’s where the education begins), or some give us their entire C class of their ISP.

Technically, the scope is defined by the merchants or service provider (NOT the ASV or QSA). However, if you are undergoing a full PCI program, we will obviously have more knowledge on your network and we can help you define your scope appropriately. Else, if you are a cold call ASV client, we will generally rely on your scan scope provided to us and scan those IP or IP ranges. We prefer you to provide us a set of IP host address, although we can technically do a network range, but the pricing might vary more.

So who needs to do it?

Anyone undergoing PCI.

Who has a public IP address. This includes not just servers, but routers, VPNs, network devices and even POS devices. If you are an ecommerce company, then you will likely have public IP address. If you are a retailer and using IP based POS, then these need to be included. If you have DNS, mail servers that belong to you, then those need to be included.

Whether you are a level 1 merchant or a level 4 merchant, whether you are a level 1 or 2 service provider – you need the ASV scan. The only companies that don’t require it are companies who have no internet capability. This is rare, but lets say a mom and pop grocery store who uses dial up POS provided by the acquirer or a knuckle buster.

Else, if you are undergoing PCI, you best get ready for the ASV scan.

So to summarise the process:

a) Define which addresses are in scope and are PUBLICLY assessible. His includes any IPs that are filtered by firewall.

b) Provide these IPs to the ASV vendor and the ASV will provide a range of source IPs to whitelist. We get some questions: why do we need to whitelist? Why can’t you guys just do the testing without whitelisting? Because ASV scans are not expensive, and we need to get it done fast, so we generally don’t have time to 100% simulate a slow burn attack that most actual attacks might face, who can afford to do that because they are not charging you and they are actually trying to get in.

c) Allow the ASV to do their job. We often get clients giving us like 20 IP addresses, ask us to scan and n half a day demand for a report. Here is the difference between those peddling free unlimited ASV scans vs actual ASV scans = the free unlimited scans do not come with manual verification of findings. So you get say 40 vulnerabilities listed in a colorful chart – you generally need to go through these 40 and address them one by one (whether its an actual vulnerability of not!). For us, we take a few days to plow through the vulnerabilities and remove the false positives by doing a manual verification process, which might include manually checking if, say the system is actually providing an actual information, or it could just be a fingerprinting of OS that got screwed up. That way, we can hash that 40 down to say 10 or less, and makes it less of a chore for you. So beware of ‘Free’ ASV. Nothing in life is Free. Except sunlight and air. And that too is being charged in some countries.

d) Once its done, we release a preliminary report and go through with you what needs to be done. Generally all medium – high issues need to be addressed. In most cases we see are SSL related issues. If it is, good news is that you can move your mitigation plan to June 2018 and buy some grace period. All we require is a formal mitigation plan and we will pass the ASV.

e) ASV needs to be done every quarter.So technically, your ASV report has an expiry (of 3 months from the scanned date). But in some instances, ASV providers such as Control Case allows you to define the quarter in a more precise term. The moment the PO arrives to us, we start counting the quarter. For instance, if it starts today (say date X), then the first quarter will end 3 months from today (say, date Y). You can scan at ANY time in this quarter and it will be good up to the date of Y. So technically, you can scan right at the end of the first quarter (pass Q1) and immediately when you go into Q2, start scanning for Q2. Depending on your ASV provider, your mileage may vary but we’ve worked with a few before and it seems to be a pretty consistent interpretation of quarters.

The ASV scan is by far, one of the least complicated things in PCI. However, don’t underestimate the effort. We had clients who thought one week was plenty enough to do ASV and they missed their quarter scan because we need CLEAN results. If we cannot get clean results (all medium-high issues solved), we cannot pass the ASV. If we cannot pass within the deadline, you miss your Quarter and there is no turning back. It will cause you to have  problem when you re-certify for the coming year for PCI-DSS.

Good luck, and start early!

PKF Avant Edge is now HRDF certified training company

hrdf

We are now a HRDF certified training company.

We have several training that is SBL claimable that includes training materials and certificate of attendance:

1) PCI-DSS Foundation Training (PCIP Led, QSA developed materials), certificate of training from PKF and our vendor QSA Control Case International

2) PCI-DSS Implementor Training (PCIP Led, QSA developed materials), certificate of training from PKF and joint QSA vendor Control Case International

3) GST Malaysia Training (Led by RMCD Certified Trainer)

3) Introduction to Technology Audit (Led by Certified Auditor and Certified Information Security Professional – CISA,CISSP)

5) Project Management Level 1: Foundations (Led by Project Management Professional Certified)

6) Project Management Level 2: Advance (Led by Project Management Professional Certified)

7) Personal Data Protection Act Training (Led by Certified Auditor and Certified Information Security Professional)

Stay tuned for more details. Our training site has been updated at http://www.pkfavantedge.com/training-programs/

If you need more information, please send your enquiries to training@pkfmalaysia.com.

Agrobank Launches Agro Visa Debit-i Card

debitc

Today, we attended Agrobank’s launch of their Visa Debit-i Card at Wisma Tani, Putrajaya. It was an early event, at around 9 am, but even so, the hall was packed with media, vendors (like ourselves) as well as Agrobank’s personnel. It was a big event.

The fact of the matter was that we’ve been with Agrobank on this journey for more than a year. I recall when we first met and I sat opposite a panel of evaluators and them asking me why our compliance program was the best. I answered frankly, because we are completely devoted to our services to our clients. We might not always make all the right moves all the time, and there might be some hiccups along the way of a very long compliance journey for a bank – but what we can guarantee is a fanatical customer support and customer experience. That’s all we have. We are not a big company with a big name to hide behind.

To me – the satisfaction of being invited to one of their biggest event of the year is a testament to their satisfaction of us.

After the event, our Agrobank account manager heading the card services thanked us personally despite her being pulled by other urgent matters, and media activities.

Sometimes, simple thank yous are good signposts and indications that we are doing something right in our business. Here’s looking to a great 2015.

PCI-DSS: Challenges faced in Malaysia

What began as separate compliance programs by major card brands, are now under a unified umbrella called PCI-DSS (Payment Card Industry Data Security Standard). PCI-DSS serves to protect the cardholder data and also the interest of the card brands. VISA, AMEX, MasterCard, JCB, and Discover (Diners Club) established the Payment Card Data Security Standards Council (PCI SSC). The goal of PCI SSC is now to guide any institution, especially the financial institutions to have better security surrounding their credit & debit card businesses.

Is there a need for yet another compliance program? The short answer is a resounding yes. According to StatiscsBrain[1], as of 18th of June 2013, in the United States itself, businesses have suffered more than 11 thousand cases of card fraud with an average loss of $4,930 for each case of card fraud. In total, it has cause a financial loss of around $ 21 million on average.

In Malaysia itself, we are now faced with an alarming rise of card fraud cases. According to Bank Negara Malaysia (BNM), [2] while the cases of fraud have decreased overall, the fraud volume still remains high. If the customer, merchant and the banks do not put in a concerted effort to fight these fraud cases, many more will fall victim to increasingly sophisticated attacks. This is also supported by The United States Security Council (OSAC)[3] stating: “credit card fraud has decreased but still continues to become a problem”. In short, the frequency might be less but the amount that each case brings is still a problem to the authorities.

In terms of the PCI DSS certification, a majority of large financial institutions in Malaysia, especially banks and larger service providers are still undergoing the process. Some have taken more than 3 years to be certified. PCI DSS is already a difficult compliance to begin with, with more than 300 plus controls to deal with. Financial institutions are pressured by card brands to ensure that PCI DSS become their utmost priority, both internally as well as for any service provider or merchants dealing in card business.

In some cases, one of the reason for certification delay is the lack of documentation done on each system in the PCI scope, causing a lack of proper maintenance on the system. This covers from software to hardware and network devices. This will affect the certification in the remediation phase where the administrator really needs to identify each data flow concerning card data and needs to clean up to ensure that unnecessary rules, ports and services are disabled. The amount of legacy rules, unmanaged inventory are significantly large, especially for banks that own distributed branches. The undertaking is intimidatingly difficult.

Furthermore, the implementation of Malaysian Electronic Payment System (MEPS) which allows the sharing of ATM networks, gives the ability for customers to withdraw their money via a different ATM bank using a debit card. Debit cards are under the PCI purview, and is often doubled as an ATM card that can be used to make purchases just by deducting the account balance by swiping it. These have enabled the storing of user Primary Account Number (PAN) in the institutions and to some extent in clear text for settlement purposes which violates the requirements in PCI DSS. The transmission of the card data must also be addressed, as the card data might travel through non-secured channels such as normal emails, or open channels that can cause the data to be intercepted in transmission. Therefore controls have to be taken to ensure that all networks in and out are secured

Another point of concern is the PCI DSS exercise budget. Every organization big or small, private or public listed have a certain amount of budget allocated. While IT budgets have grown significantly, it has to be reminded that PCI is NOT an IT initiative. It is a business initiative and might take a large portion of the said budget. The budget would be used for the engagement of third party experts or actual products to mitigate the concerns. Due to budgeting, companies often overlook certain areas by cutting down the budget such as avoiding expert consultancy. They opt to do the certification or the remediation process by themselves in order to save some portion of the budget. This has short term yield but sacrifices the long term goals. Taking on PCI is akin to journeying through an uncharted maze. Having a guide is therefore critical especially for first timers in a relatively large company.

In conclusion, there is still a long way to go for Malaysian companies to abide 100% to the requirements of PCI-DSS. For that, they need to  fully understand the  requirements and ensure proper scoping is done (as there are cases where one can OVERDO the compliance). For a free scoping or advisory on how we can help you in your PCI-DSS journey, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

Article by: Wafiy Karim

PKF Avant Edge Sdn Bhd

Newer posts »

© 2024 PKF AvantEdge

Up ↑