PCI-DSS and PA-DSS
Today’s online domain and a cashless way of transacting business have brought more players into the payment industry than yesterday. Cash is no longer considered the only means of payment and credit and debit cards have become the norm for customers making purchases through brick and mortar stores as well through online portals. This in turn has given rise to credit and debit card fraud, and ‘fraud management’ has become an important branch of research for vendors and merchants alike. As soon as a data breach does occur, the PCI-DSS objectives come into sharp focus. (‘Was the organization PCI complaint?’ – is the thought). This article:
- showcases some examples of data breaches
- tries to give brief perspective on PCI-DSS, PA-DSS and some of the reasons for data breaches
explains the differences between the two.
Michaels, Home Depot, Staples: there were a variety of data breaches in 2014, but the Target breach started them all. The ‘Target’ breach occurred in December 2013 and was considered as one of the worst data breaches, as it compromised information relating to 70 million customers! Here are some statistics related to the data breach compiled from various sources:
- According to the corporate Target website, names, email addresses, mailing addresses and telephone numbers of 70 million individuals may have been affected dat15. Fortunately, PIN numbers were not compromised, as they were encrypted.
- 1-3 million of the cards were then sold on the black market.
- Hackers likely made $53.7 million by selling the cards. The142
- Before the Target data breach, only 13% of senior management felt the need for enhanced security, while after the breach, that number jumped to 55%.
There were no CISO (Chief Information Security Officer) or CSO (Chief Security Officer) at ‘Target’ at the time of the breach. kre14
How did it happen?
Sophisticated cybercriminals managed to gain access to internal systems through a third party HVAC vendor. Once they had penetrated the system, hackers installed malware onto the POS terminal there by infiltrating the entire infrastructure all across the US. The malware that was installed on the system started affecting customers soon after shoppers used their credit/debit cards to make purchases.
The information from the shopper’s swiped cards was then offloaded onto data drop sites. Most of the stolen cards were then sold for 20 dollars a card. It should be noted that only 5% of the total cards that were compromised were eventually sold.
Alarms from FireEye were intimated to Target’s Bangalore location which was intimated to Minneapolis, but amidst all the alarms that were being generated, this one was lost and it proved costly.
The Home Depot data breach was similar to the Target data breach, and here are some of the statistics related to the crime:
- A malware that was similar to the one that was found in the Target data breach was found to be installed on the POS terminals of Home Depot.
- This malware was also used to steal credit card information and sold on other sites.
- 56 million credit cards were compromised.
The breach cost around $62 million. Wit14
Having looked at the two breaches, let us see if companies are being PCI compliant to prevent breaches. According to a Verizon 2015 PCI Compliance report, “not a single company is PCI-DSS compliant at the time of the breach”.Ver15
But before we discuss what is meant by PCI compliant, let us first discuss what is meant by PCI-DSS.
PCI-DSS or ‘Payment Card Industry – Data Security Standard’ is a set of rules and regulations to help the very vulnerable credit card industry. The present day PCI-DSS is the evolution of different data security programs by the major credit companies – Visa‘s Cardholder Information Security Program, MasterCard‘s Site Data Protection, American Express‘ Data Security Operating Policy, Discover‘s Information Security and Compliance, and the JCB‘s Data Security Program. It was first launched in 2004 and it has a release once every 3 years. The last release of PCI-DSS 3.0 was launched in November 2013. The PCI-DSS objectives are applicable to all the entities that deal with credit card data – merchants, processors, acquires and issuers.
PCI-DSS specifies 12 control objectives to protect card holder data (CHD). The list condenses the objectives of PCI-DSS.
The first two objectives relate to building and securing the network.
- An effective firewall configuration should be used to protect card holder data (CDH).
Vendor supplied defaults and passwords should not be used when storing and dealing with CDH.
The third and fourth objectives relate to protecting CDH.
- CDH (Card holder data) must be protected.
- When CDH is transmitted in public, it must be encrypted.
The fifth and sixth objectives relate to maintaining a ‘vulnerability management program’.
- Obviously, ‘prevention is better than cure’ – so it is better to maintain anti-virus definitions and keep them up-to-date rather than deal with breaches resulting from negligence later.
- Continuing with point 5, it is necessary for systems to be maintained in a secure way.
The seventh, eighth and ninth objectives are related to access control of CDH.
- CDH must be accessed only by those with a business necessity.
- Each individual accessing the CDH should be provided with a unique ID.
Physical access to CDH must be restricted.
The tenth and eleventh objectives relate to monitoring and testing the networks.
- All access to CDH data must be monitored.
All security systems must be regularly tested.
The last objective relates to policy.
As InfoSec professionals, most of us know the importance of a policy. Policy is always the baseline for most procedures, and in this case too an information security policy is needed.
Having seen what is meant by PCI-DSS, we next move onto PA-DSS.
The PA-DSS standard has been created for vendors of payment applications so that they do not misuse the credit card/debit card data that is retrieved during transactions. PA-DSS or ‘Payment Application Data Security Standard’ was previously known as PABP (Payment Application Best Practice) and it was created by the Payment Card Industry Security Standards Council (PCI SSC) in 2008. PABP was originally created by VISA and it was gradually phased out to become PA-DSS. Simply put, PA-DSS makes sure that the payment applications do not store the magnetic stripe, CVV2 number or the ‘Personal Identification number’ (PIN) and all crucial information that passes over public networks is encrypted.
Differences between PCI-DSS and PA-DSS
Now that we have seen what is meant by PCI-DSS and PA-DSS, do they look fairly similar? Well, they are not. While all organizations dealing with credit/debit cards have to deal with PCI-DSS requirements, PA-DSS standards are only for vendors of payment applications. For example, if a payment application that is developed by an organization is to be used only within the organization itself, it need not be PA-DSS compliant, but it has to be PCI-DSS complaint.
Further, just employing a PA-DSS application does not make the environment itself to be PCI-DSS compliant.
Applications are said to be PA-DSS compliant when they are validated by Payment Application Qualified Security Assessor (PA QSA) companies.
How can breaches be prevented?
Having stated the differences between PCI-DSS and PA-DSS, let us see the cause of some breaches. According to the Verizon 2015 PCI Compliance report,
- Only 40% of the companies surveyed admitted to having followed the second rule for PCI-DSS compliance after being breached – namely, changing vendor supplied passwords when storing card holder data.
- In the year 2014, there was malware targeting not only Windows systems but also Linux and MacOS systems. This reinforces the fifth objective of keeping anti-virus definitions up-to-date and having malware protection.
- 38% of the POS (Point of sale) hacking incidents in 2014 were done by stealing credentials, thereby flouting objective number 7, which stated that access to the data should be restricted to business necessity.
- Objective 11 states that all systems must be regularly tested, and only 9% of the organizations breached were said to be following this requirement.
- The lowest margin for compliance was for requirement 12.10, which stated that an incident response plan was to be implemented (58%). Ver15
The future of the payment industry
While credit cards may seem to be “the” way to pay for transactions, it is certainly not the magic bullet for all payment needs in today’s risk prone world. Considering the various breaches, new technologies are needed to avert similar breaches. To overcome this, Visa and MasterCard have adopted either the “chip and PIN” technology or the “chip and signature” for their cards. The “chip” technology gives more protection than the normal credit card, where the account numbers are stored on the magnetic strip.
Until better forms of payment are available, the normal credit card/debit card with the magnetic stripe is available all over the world, and PCI compliance will help us keep the hackers at bay.
(2014, Sept 18). Retrieved March 17, 2015, from krebsonsecurity.com: http://krebsonsecurity.com/tag/target-data-breach/
data breach FAQ. (n.d.). Retrieved March 10, 2015, from corporate.target.com: https://corporate.target.com/about/shopping-experience/payment-card-issue-FAQ#q5888
The Target Breach by the numbers. (2014, May 6). Retrieved March 10, 2015, from krebsonsecurity.com: http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
Verizon 2015 PCI Compliance report. (n.d.). Retrieved March 18, 2015, from VerizonEnterprise.com: http://www.verizonenterprise.com/resources/reports/rp_pci-report-2015_en_xg.pdf
With 56 Million Cards Compromised, Home Depot’s Breach Is Bigger Than Target’s. (2014, Sept 18). Retrieved March 18, 2015, from Forbes.com: http://www.forbes.com/sites/katevinton/2014/09/18/with-56-million-cards-compromised-home-depots-breach-is-bigger-than-targets/