Published: 26 January 2015
By Catherine Jamieson.
We've recently returned from the London PCI conference. It's interesting in its own right because it operates on a full disclosure basis, without reference to names or organisations. One of the keynote presentations from a card provider was very strong. Three times it was stated that Security is more important than Compliance.
The key reason is that the DSS (Data Security Standard) takes time to collate, write and publish. In that time the activities of the bad people change according to security practice. The speaker mentioned that just as DSS 3.0 comes into force they've already been working on the DSS 4.0 standard for many months. Compliance means that your systems and procedures are that good on the day they were audited. Security is a continuous process.
We learnt that as cards become more secure, for example the magnetic stripe is due to disappear this year, then the bad people shift their attention to the next weakest part of the chain. 2014 was known as the year of the retailer breach.
Being a merchant is part of the chain, a chain that has suppliers, card processors, card issuers and banks. 2015 is likely to be the year that the interfaces between the elements of the chain are heavily targeted. PCI DSS 3.0 already enshrines this by making the chain the merchant and its payment processors responsibility, now they both have to exchange lists of responsibility. This ensures that there are no gaps.
User's credentials, and especially Privileged Users are really under attack, with RAM scraping and social attacks on the increase. The Verizon "2014 Data Breach Investigations Report" clearly shows how the attack vectors have been changing since 2009. Osirium really helps with RAM and social attacks, since device passwords are never in the users workstation's domain, and the Single Sign On process means that users are not holding any passwords that can be socialised from their heads!
Another big lesson was the increasing value of data hanging around systems that can be harvested and associated with other data to reconstruct customer's personal details -- the lesson here is to delete the data as soon as it's not needed. Osirium ensures that if users have access to a particular system in the domain, they cannot automatically inherit rights to access others. This is known as the security cell approach, this means if one cell is compromised the others hold fast.
Obviously there was a busy time at our stand, and if you'd like to know more about our approach to PCI security, compliance and Privileged User Management -- please get in touch.