Compliance

GDPR Fines On The Rise

Since the introduction of the European Union’s General Data Protection Regulation (GDPR) in May of 2018, they have handed out $330.5 million in fines with $192 million in the past year alone. As the GDPR regulation grows in maturity, regulators are growing tougher with their fines. Breach notifications are on the rise, as they have increased 19 percent over the past 12 months. Germany leads the way with 66,527 breach notifications and Italy has had the least with 3,460. Germany, France, and Italy are the top 3 countries that have imposed fines, with a combined $234 million since GDPR was enacted.

With the impact of COVID-19, organizations have been fortunate to have their fines drop significantly with the promise to improve their security posture. Marriott saw their fine reduced to $25 million from the original $123 million during a breach that lasted over 4 years and resulted in the compromise of 339 million guest’s information. British Airways saw their fine reduced to $27 million from the original $230 million as a result of personal data of over 400 thousand customers being stolen when their website redirected to a fraudulent one which collected personal details of customers. This went undetected for over 2 months. The pandemic has provided temporary relief on some fines, but this isn’t permanent. Organizations need to ensure they are following GDPR regulations or it is going to cost them in large-scale fines.

The 4 potential sources of privacy protection are markets, technology, self or co-regulation, and law. GDPR has taken the traditional approach of law to enforce privacy and data protection. With GDPR fines only increasing and being strictly enforced, it does show that laws do not necessarily mean the result will be increased privacy and security. The best piece of advice for organizations having to follow GDPR guidelines is to err on the side of caution, as fines and cumulative damage claims are only going to rise. As GDPR matures and evolves, there may be new, stricter regulations released in the future.

5 Tips To Obtaining PCI Compliance

Even with the abundance of documentation available to your organization, PCI DSS compliance may seem like a tall mountain to climb. At nGuard, we often see clients of all sizes struggle to obtain compliance for a variety of reasons. Both clients with a mature or immature security posture often struggle deciding which actions to take, policies and procedures to implement, and infrastructure changes to make when attempting to become compliant with PCI. Here are a few tips to consider when PCI compliance is mandatory for your organization.

1. Limit or Reduce Scope

The first tip we always advise customers to do is limit or reduce scope and this can be done in multiple different ways.

Segment your network to separate your infrastructure that handles any processing, transmitting, or storing of payment card data away from general business-related systems. By implementing segmentation and isolating devices that are used to process payment card data, you reduce the overall scope in play for PCI. This in turn limits the time and money your organization will spend when attempting to become compliant.
Outsource any handling of payment card data to PCI compliant third parties. By transferring the responsibility of card holder data to a PCI compliant third party, you can check the box on multiple PCI DSS requirements while making fewer internal changes to IT infrastructure and processes.

2. Use Point-to-Point Encryption

Point-to-point encryption (P2PE) encrypts the cardholder data the moment a card is swiped or inserted, with a point of interaction (POI) device. PCI has many approved P2PE solutions that meet their standards. PCI DSS approved P2PE solutions transfer the data from the POI to the destination where processing occurs without interacting with systems between the source and destination. This is different than end-to-end encryption (E2EE) as that process often interacts with systems in between the source and destination. Using a P2PE solution will completely transfer any and all accountability of PCI compliance onto the P2PE provider. As a merchant, when it comes time to fill out your annual PCI Self-Assessment Questionnaire (SAQ), the P2PE SAQ requires only four sections and 35 questions to be answered. This is significantly less than covering all twelve categories and hundreds of questions when completing other SAQ types.

3. Create a PCI Compliant Password Policy

At nGuard we often deal with clients who are not PCI compliant due to their organization’s password policy. While there are many variations of password best practices between security frameworks, when it comes to PCI compliance be sure your organization has a written policy that, at a minimum, meets PCI DSS requirements. The password requirements to meet PCI compliance are:

Be a minimum of seven characters long
Include numeric and alphabetic characters
Expire within ninety days
Not be identical to the previous four passwords

4. Conduct Regular Security Testing

Of the eight different SAQ types, many require various levels of penetration testing be completed at different intervals throughout the year. Based on your SAQ type you may be required to conduct annual external and internal penetration tests, web application penetration testing, quarterly Approved Scanning Vendor (ASV) vulnerability scans, annual or semi-annual segmentation validation, etc. Conducting these types of tests is not only going to align your organization with PCI compliance, but also limits the amount of vulnerabilities present in your environment after remediation. When it comes to security, you can never test or scan your infrastructure too much.

5. Speak to a PCI DSS Expert

As stated in the beginning, PCI compliance can be a lengthy, complicated, and time-consuming process for your organization’s resources. When in doubt, speak to a PCI Qualified Security Assessor (QSA) and have them answer your questions and walk you through the PCI standards. The PCI QSA can make the process of determining your scope for PCI, the type of SAQ to fill out, and deciding what requirements need to be met a quick and easy process. This all can be done in a matter of days rather than a matter of months.

nGuard is staffed with several PCI Qualified Security Assessors and is ready to work with you and your organization to assist in the uphill battle that is PCI DSS compliance.

5 Ways to Ensure a Passing PCI QSA Audit

It’s no secret that most organizations that endeavor to achieve any level of PCI compliance find it more difficult than they first imagined. Even more so for merchants that require Level 1 PCI Compliance.

These companies require an external QSA audit and a successful passing Report of Compliance (ROC). No small feat. As a PCI QSA company, our QSAs have identified 5, key ways to better ensure your company’s chances of passing their PCI QSA Audit. Fortunately, all of these can be performed by internal resources in preparation for an upcoming PCI QSA audit.

1. Know all the places where CHD is transmitted, stored and processed.

A QSA audit begins with interviews to discover all the places where payment cards are accepted, processed, transmitted, stored, and more.

Nearly 100% of the time, in new environments where no prior consultation or audit was performed, we discover processes or systems that are in scope and were previously unknown to the client.

This is understandable, especially if the organization has never gone through a discovery process. Generally, employees are tasked with making things work. Often times, there are processes and products that are created that may not be formally documented or even approved.

Processes that can bring systems and people in scope

Recorded calls where CHD is stored in the recordings.
Physical paper with CHD that is being scanned into another system.
Emails where CHD is sent either internally or externally to customers.
CHD being shared with partners via undocumented and insecure methods.
Temporary “stores” or collections that only happen periodically like an annual conference where the organization accepts payment cards for registration fees.

In order to discover these processes, at least two people in each department should be interviewed. This would include the department manager as well as one of the employees in that department that is most knowledgeable about all the processes in the department. Hint: the department manager is often surprised to hear about some of the processes that collect or process CHD or at least the details about how it’s being processed. Because they don’t actually work with the process, they can unintentionally mislead or misinform about the processes. So, don’t rely only on department managers solely. Make sure you talk to the person with their boots on the ground. Most department managers understand this and are more than willing to sit down with the auditor and another employee in the department to discuss their interaction with CHD.

2. Know what is in scope for PCI.

As stated previously, most organizations don’t fully understand all their processes at a high level. There are small details about processes that may not get documented and therefore make it up to the managerial level. However, once these processes are fully understood, the next step should be to determine how those processes effect the scope of the audit. In general, the scope should include all people, processes and systems that either process, transmit or store CHD. In detail, the organization should fully understand the flow of CHD through the organization and include every system, person or process that the CHD touches. This would include places often overlooked such as:

Phone systems for collecting CHD over the phone.
Workstation of Customer Service Reps (CSR) that collect data over the phone and enter it into some payment application or website.
Systems that not segmented from systems that directly interact with CHD. For example, if the CSR workstation is not segmented from the rest of the organization’s network, then all the systems in the network are in scope.
Web applications that start the payment process, but then hand-off the payment to a third-party payment provider. These web applications typically are in scope for at least some controls.

3. Reduce the scope.

One of the best ways to secure data and achieve compliance is to simply reduce the scope of processes, people and systems for PCI DSS. I often help customers walk through this process and help them understand from a business and technical perspective the positives and negatives of reducing or eliminating processes that can help with reducing scope, therefore reducing the risks to CHD. The most common areas for reducing scope are:

Eliminate CHD where possible.

P2PE is the process for encrypting CHD at the point of interaction, either at a card-present point-of-sale system or a special keypad used to enter the payment card information. Both of these devices have the ability to encrypt the CHD at entry and submit it directly to the processor. Although the information is transmitted through the organizations network, it is not considered CHD since the data is encrypted with a key that the organization does not own or have access to. The decryption key is held by the processor or service provider providing the P2PE solution. This eliminates the CHD from the environment for those processes and requires the organization to only have to meet a few controls to secure the devices and process.
Tokenization is the process of the service provider or processor returning a token to the organization that is not CHD, but represents CHD. This is uses in situations where an organization needs to have recurring charging and needs to retain the payment card information. Instead of retaining the payment card information, they retain only the token and then submit the token to the service provider or payment processor. If the tokens are compromised, then there is very little risk of an attacker being able to turn the token back into CHD.

Outsourcing processes to 3rd party service providers.

Although this may not be possible for all processes, there are some processes that are easier than others. For example, often times, payments over Web or Mobile can easily be outsourced and leave the organization with minimal scope.

Eliminate processes that have little value but heavily increase scope of audit.

Often times organization can review their processes and determine that some processes, although they may have some value, don’t bring enough value to justify the cost of compliance for that process. The most common process for this is payments over the phone. Because payment cards are considered a modern form of payment, most people using payment cards also have the ability to use the Internet to make payments via web applications. This leaves many organizations with a very small percentage of customers who call in to make payments via a payment card. However, the cost of compliance for bringing the entire phone system, call recording system and Customer Service Reps’ work stations in scope can be substantial. For this reason, many organizations are choosing to eliminate that form of accepting payment cards and instead assist customers in making their payment via the available web application.

Consolidating processes to as few people, processes and systems as possible.

Many organizations have, over many years, added several processes that collect CHD. However, those processes are often not centrally managed and leaves the organization with many systems and areas of the network that are in scope. This could include multiple databases or files systems that store CHD, as well as different types of technology collecting CHD. Consolidating all these processes to as few systems and devices as possible can heavily reduce scope for compliance. This would include:

Taking all web payments at same payment application, even if the payments are for various services in various departments.
Ensuring all card-present transactions are conducted with the same Point-of-Sale devices and processors.

4. Understand Which Controls are Applicable.

Not all controls are applicable to every environment and understanding which controls are applicable and which are not can save an organization a lot of time in effort. For example, if you’re able to segment and reduce scope enough so that there are not wireless networks in your environment, then you wouldn’t be required to implement the controls for your organizations wireless network that is not in scope. Also, if you eliminate the storage of CHD, then an entire section of controls becomes N/A since it deals with securing stored CHD.

5. Perform Pre-Audit or Gap Analysis.

This is the audit before the audit that should be performed with every organization that is attempting to become compliant for the first time. A QSA or IQSA should be used to review current scope, processes and controls and determine which controls are sufficient and which need improvement. This may be a multi-step process for many organizations where each round brings the organization closer to compliance. However, performing a gap analysis and failures have been discovered almost always leads to a successful QSA audit that results in a passing Report on Compliance.

Financial Institutions Under Pressure as NY Cybersecurity Regulation Goes Into Effect

As cyberattacks have increased over the past years and months, many regulated industries have begun to require compliance with various industry-accepted standards in an effort to identify risk and provide guidance on best practice security controls. One such is the financial services industry, which is attempting to keep pace with ongoing attacks that threaten business operations, as well as personal information of customers. As such, the New York Department of Financial Services (DFS) has released the 23 NYCRR 500 Cybersecurity Regulation for all entities covered under the DFS. This requirement aims to guide entities in developing a cybersecurity program, and makes an attempt at “not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.” Key areas of focus include performing risk assessments specific to an institution’s assets and environment, developing a cybersecurity program to help defend against attacks, and identifying individuals within the organization who are qualified to provide ongoing guidance of this program at the CISO level. Specific parts that the program should include are:

Cybersecurity policies
Defining a CISO
Ongoing risk assessments
Ongoing penetration testing and vulnerability assessments
Log monitoring and alerting
Access controls
Third-party service provider oversight
Multi-factor authentication
Awareness training
Secure data storage and transmission
Incident response plan

The DFS 23 NYCRR Part 500 has been in effect now, since March 31, 2017 and, unless exempted, will require all DFS covered entities to become compliant on August 28, 2017. Understanding full compliance can take time for many institutions. Covered entities will have until February 15, 2018 to self-certify that all requirements have been met. nGuard realizes many financial institutions often do not have the ability or time to identify true risk, or implement even minimal controls, without help. As such, our team can provide the qualified and expert security resources that will help any institution meet compliance under the new DFS Cybersecurity Regulation. Call and speak to one of nGuard’s experts today.

About nGuard Corporation

nGuard is a leading provider of expert security assessments, managed security services, security incident response, and other advanced security services to organizations across North America & around the world. nGuard’s relentless focus on securing clients, as well as their unmatched security expertise, has helped them become one of the most sought after security firms in North America.