Thursday, June 25, 2009

TJX Agrees to Security Pilot Programs and to push End to End Encryption

There were some interesting terms agreed to by TJX in the TJX/State Settlement. First, TJX agrees to participate in pilot programs for new payment security technology, such as chip and pin, if asked to do so by MasterCard or Visa within 2 years of the date of the agreement. After two years, I guess they can say no.

Second, they agreed to take steps within the next 180 days to encourage the development of end to end encryption including seeking the cooperation of their acquiring bank.

The text of these section appears below. A copy of the entire agreement can be found at:

The Attorneys General and TJX believe that the security of Cardholder Information collected in connection with retail transactions is an important priority. Protecting Cardholder Information is a dynamic challenge, because as security technologies available to retailers evolve, criminals attempt to develop more sophisticated ways of trying to circumvent such technologies. The Attorneys General and TJX therefore agree that possible improvements within the payment card system could aid the protection of consumers. To further that goal, TJX agrees as follows:

A. Pilot Programs. TJX will notify Visa and MasterCard in the United States and its acquiring bank(s) in the United States, simultaneous with the execution of this Assurance, that TJX desires to participate in pilot programs for testing new security-related payment card technology, such as the chip-and-PIN technology that is used in many other countries. TJX will participate in such program(s), if invited to do so, within two (2) years following the Effective Date of this Assurance, provided that any new security-related payment card technology and the terms and conditions of such participation are considered in good faith by TJX to be feasible and reasonable.

B. New Encryption Technologies. TJX will take steps over the one hundred eighty (180) days following the Effective Date of this Assurance, to encourage the development of new technologies within the Payment Card Industry to encrypt Cardholder Information during some or all of the bank authorization process with a goal of achieving "end-to-end" encryption of Cardholder Information (i.e, from PIN pad to acquiring ban). Such methods may include but are not limited to encouraging the development of new technologies and seeking the cooperation of TJX's acquiring bank(s) in the United States and other appropriate third parties. TJX will provide the Attorneys General, within one hundred eighty (180) days following the Effective Date, with a report specifying its progress in this effort.

Wednesday, June 24, 2009

Nevada Data Encryption Law Has Wide Coverage

Nevada recently enacted a new Data Protection law which replaced the previous law that was in effect for less than a year. The new law has some broad-reaching implications. The law applies to any business that has any transactions or employees located in the state, no matter where their headquarters are located and requires those businesses that accept credit cards to “comply with the current version” of the PCI DSS.

The text of the law is as follows:

"If a data collector doing business in this State accepts a
payment card in connection with a sale of goods or services, the
data collector shall comply with the current version of the
Payment Card Industry (PCI) Data Security Standard, as adopted
by the PCI Security Standards Council or its successor
organization, with respect to those transactions, not later than the
date for compliance set forth in the Payment Card Industry (PCI)
Data Security Standard or by the PCI Security Standards Council
or its successor organization."

While the law requires data encryption for personal information transmitted outside of the enterprise, it does not apply for data transmission over a secure, private communication channel for approval or processing of negotiable instruments, electronic fund transfers or similar payment methods.

Data sent over public communication links needs to be encrypted, in a secure approved manner as spelled out in the law.

The previous version of the law defined personal information as unencrypted information consisting of an individual's last name and first name (or first initial), combined with his or her Social Security number, driver's license or identification card number, or financial account number plus password or access code.

The law also states that is a business (data collector in the law's terminology) is compliant with the law, then the business shall not be liable for damages unless there is gross misconduct involved.

The Nevada law is scheduled to go into effect January 1, 2010.
The full text of the law can be found here:

Friday, June 19, 2009

MasterCard Revises Level II SDP Merchant Compliance

MasterCard has changed its requirements for Level II Merchant SDP Program Compliance. SDP, or Site Data Protection is the MasterCard program for cardholder security and is similar to the VISA CISP Program. Currently Level 2 MasterCard merchants can complete a PCI DSS Self-Assessment Questionnaire and submit that to MasterCard as part of their SDP certification process. Level 2 Merchants are defined by MasterCard as merchants doing between 1M and 6M annual MasterCard transactions annually or merchants whose transaction volume makes them a Level 2 merchant for another card brand. By December 31, 2010, all Level 2 MasterCard merchants must complete an onsite assessment conducted by a PCI SSC certified Qualified Security Assessor, and thereafter submit an annual onsite assessment conducted by a PCI SSC certified Qualified Security Assessor.
These requirements are included on the MasterCard web site here:

Thursday, June 18, 2009

DOJ warns of escalating criminal assault on the payment system

Kimberly Peretti, Senior Counsel, Computer Crime Division, Department of Justice recently spoke at the MasterCard Global Risk Management Conference. Among the highlights of her presentation:
  • Criminals are now targeting HSM’s. With this, they could easily decrypt PIN's
  • DUKPT has been breached. In one case, criminals stole the data in 2004, but it took them 2 years to crack DUKPT. They were aided by having the full Track 2 data which includes the Pin Verification Value (PVV). Having done this once, they are more sophisticated now and should be able to crack encrypted PINS less time if they try it again.
  • The group that is targeting processors is still targeting retailers.
  • There has been a huge explosion of breached retail and financial industry networks in the last three years. There are numerous examples of network breaches without card data compromise. Its like exploring for oil but not drilling until the price is right, criminals are doing the same thing.

FBI Cyber Director warns industry of fraud risk

Shaun Henry, Assistant Director, Cyber Division, FBI spoke recently at the MasterCard Global Risk Management Conference. Among the things I found either interesting or scary were:

  • Businesses don’t understand the cyber threat today. They can't feel it, touch it or imagine it, so it is hard to worry about is and prepare for it.
  • Criminals are breaching systems everyday and waiting for the opportune time to steal the information. Their breaches leave little trace until a compromise occurs. They cover their tracks and wait to harvest cardholder information. Their presence is not removed after scanning, reloading computers, password changes, network reconfiguration, etc.
  • Some Malware waits for specific vulnerabilities to appear before acting, for instance, when a patch is found that has not been applied. They go back to a breached system to see if the patch has been applied, and if not they exploit the vulnerability.
  • There are three types of groups that are attacking systems today.

1. Individuals and Hacker Groups

2. Terrorist Organizations and Sympathizers

3. Advanced and Developing Cyber States

  • Overall, criminal attacks are escalating

1st – Steal data for themselves and convert to cash
2nd – Steal data and sell it to others for exploitation
3rd – Hijack you systems for extortion (T-Mobile?)

  • You need to rethink everything, all your assumptions about data security.
    How do you know your downloads are safe? How do you know they have not already been infected? How do you know the hallmark card an employee downloaded simply contained malicious software and not malware designed to steal cardholder data? Look for criminal entry and data exodus everywhere - not just where you might expect them.
  • Adversaries with the interest, ability and intent to get your information can and will breach your system.

Malware emerging as primary data breach weapon

Chris Novak from Verizon provided an update at the MasterCard Global Risk Management Conference in Miami two weeks ago.

Malware is a rising method of attack, and in 25% of the Malware attacks, the software was written specifically for the environment that was attacked.

There are three new emerging kinds of attacks. Ram Scrappers running in memory, packet sniffers capturing data in motion, and malware that resides in unallocated disk space and is hard to locate.

MasterCard Global Risk Management Conference

I attended the recent MasterCard Global Risk Management Conference in Miami a couple of weeks ago. I will be entering some posts based on some of the things that were covered by the speakers.

The opening speaker was Wendy Murdock, the Chief Franchise Officer for MasterCard. Some of her interesting and main points:
  • 93% of the breached records from 2008 were from financial services firms
  • MasterCard processes 21B transactions a year from 24M acceptance points.
  • They estimate that cardholder data is stored in over 200,000 locations globally (Wow - lots of places to protect and lots of places for criminals to try to find an open window.)
  • She stated that if the industry can not solve the problem, it will force the government to put in place "burdensome regulations."
  • Financial institutions need "proper incentives" to insure compliance. (She did not share her thoughts on what they need to be.)
  • MasterCard needs better channels for sharing fraud information. (How about the SPVA and the PPISC?)
  • The industry must use all tools, whether PCI or targeted encryption solutions to solve the problem. (How about end to end encryption!)