PCICompliance » PCI Compliance FAQs

What is the role of user authentication in PCI compliance?

sfender@phonefactor.com — Thu, 21 May 2009 22:03:55 +0000

Passwords Just Aren’t Enough
Password phishing is up dramatically and new, more sophisticated phishing methods have emerged. It’s clear that passwords are highly susceptible to attack and agents can’t be trusted to employ best practices with regard to storing and changing their passwords, let alone protecting their PC from malware that could be used to snoop their passwords.

Two-factor authentication (using a password, something you know, plus a second method, such as something you have or something you are to prove a user’s identity) is the new standard.

Regulatory Compliance
Regulatory agencies agree that passwords are a weak link and are requiring companies to implement stronger authentication, particularly for remote workers. Depending on the industries served by the call center, a number of regulations may require them to apply strict standards for authenticating users, including:
• Payment Card Industry Data Security Standards (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• Authentication in an Internet Banking Environment Guidance (FFIEC)
• Sarbanes-Oxley

Traditional Two-Factor Authentication Solutions
There are a number of two-factor solutions available, but most are difficult and costly to deploy and maintain for remote call center agents. Tokens and other security devices must be provisioned and mailed to remote agents then replaced if lost of broken. Certificates can be hard to support on hardware that is not company-owned and maintained. Weaker security methods, like security questions, don’t stand up to the scrutiny of a compliance audit.

Telephones As A Security Device?
Particularly well suited for use with remote call center agents is a method of two-factor authentication that uses a simple phone call as the second form of authentication. The agent logs in just like they normally would with a user name and password, and instantly their phone rings. They answer and press # or enter a PIN to complete their login. If the agent is not logging in when they receive a call, they know that their user name and password have been compromised and can press the fraud alert option to block access and alert the I.T. team back at the corporate office.

Because the second factor of authentication occurs across a second network (the public telephone network), there is a significantly enhanced level of security. Both the agent’s internet connection and the public telephone network must be compromised simultaneously in order for the attacker to gain access using the agent’s account.

Cost Savings
With phone-based authentication, there are no devices, software, or certificates to deploy and maintain – it works with the agent’s existing phone. Users require very little training and almost no ongoing support – making phone-based authentication significantly less expensive to setup and maintain than other two-factor solutions.

What if I am not PCI compliant?

sfender@phonefactor.com — Thu, 21 May 2009 21:55:31 +0000

Enforcement of compliance is done by the bodies holding relationships with the in-scope organisations. Thus, for organisations processing Visa or Mastercard transactions, compliance is enforced by the organisation’s acquirer, while organisations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers such as hosting companies who have business relationships with in-scope organisations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined.

What are the PCI DSS Requirements?

sfender@phonefactor.com — Thu, 21 May 2009 21:50:40 +0000

The current version of the standard (1.2) specifies 12 requirements for compliance, organized into six logically related groups, which are called “control objectives.”

Control Objectives PCI DSS Requirements

Build and Maintain a Secure Network	1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures	7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy	12. Maintain a policy that addresses information security

What is the Payment Card Industry (PCI) Data Security Standard?

sfender@phonefactor.com — Thu, 21 May 2009 21:44:10 +0000

The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

The standard is maintained by the Payment Card Industry Security Standards Council, which maintains both the PCI DSS and a number of other standards, such as the Payment Card Industry PIN Entry Device security requirements (PCI PED) and the Payment Application Data Security Standard (PA-DSS).

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organisation is handling, but regardless of the size of the organisation, compliance must be assessed annually. Organisations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.

Resource Sites

sfender@phonefactor.com — Fri, 15 May 2009 22:12:41 +0000

PCI Information
PCISecurityStandards.org
Wikipedia
Visa

Associations
Consumer Data Industry Association
Society of Payment Security Professionals
Merchant Risk Council