• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Barclaycard Payment Security Newsletter Jan11
 

Barclaycard Payment Security Newsletter Jan11

on

  • 1,290 views

Barclaycard Payment Security Newsletter, Q1 2011

Barclaycard Payment Security Newsletter, Q1 2011

Statistics

Views

Total Views
1,290
Views on SlideShare
1,290
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Barclaycard Payment Security Newsletter Jan11 Barclaycard Payment Security Newsletter Jan11 Document Transcript

    • payment acceptance leading the way in secure payments Welcome! To the first edition of the Barclaycard Payment Security Newsletter Happy New Year! It’s hard to believe that 2010 is now behind us. And what a year it In this issue was! With the recent release of PCI DSS and PA-DSS version 2.0; the further guidance documents by the PCI SSC, the Card Schemes and ourselves; the new PFI (PCI Forensic Investigator) and ISA (Internal Security Assessor) programmes, it certainly Olympics – are you prepared?............ .......….2 was a busy year. A big thank you to all our customers and Top tips for success………………………… …….2-3 partners for their commitment to keeping the payments network Securing mobile devices…………..……… ……….3 secure and achieving the overall 28% card fraud reduction in the UK in 2009*. Technology Spotlight Navigating through the cloud…….……. ……….4 As we enter 2011, we’re faced with a set of new challenges as well as the old ones. In this issue we touch on hot topics such as OWASP Top Ten…………………………….. ……….6 cybercrime, mobile security and cloud computing, as well as From the card schemes…………………… ……….7 topical news from the industry and why you should be watching Compliance Index by sector…………… ……….8 out for the Olympics. PCI DSS……………..……………………………. ……….9 It’s undeniable that 2010 was the Year Of The Cloud with all the buzz about Salesforce.com, IBM, Google, Microsoft , Oracle, Upcoming events……………………………. ……….9 Amazon, Rackspace, Dell and others positioning themselves in From our partners…………………………… ..….....9 the new clouds. A study by Cisco Systems (December 2010) Resources……………………………………….. …..…10 projected that almost 12% of all enterprise workloads will run in the public cloud by the end of 2013, whilst the key opportunity Have your say…………………………………. ………12 for service providers is to differentiate themselves by providing cloud services. The study also highlighted that the key issues What is cloud computing? determining migration decisions revolve around perceptions by Here’s Barclaycard’s definition: executives about security and control, data-centre overcapacity Cloud computing is the on demand and scale, and the availability of skilled IT people. provision and use of shared computing Evidently, the cloud is exciting, with the potential to reduce capital resources e.g. network infrastructure, costs and increase agility by divesting infrastructure and server capacity, data storage and software to computers and other devices (similar to application management to concentrate on core competencies. buying a utility resource like electricity). But with new opportunities come new risks. In some cases, moving to the cloud allows re-design of older applications and It allows organisations to purchase resilient, flexible & scalable computing capacity to infrastructure to meet or exceed modern security requirements. meet changing needs without worrying At other times, the risk of moving sensitive data and applications about having to deploy & manage this to an emerging infrastructure might exceed tolerance levels. As infrastructure themselves, where typically always, it’s all about risk management (more on this page 4). more infrastructure is deployed to manage demand peaks and resilience thus adding to their cost base. Capacity is bought in terms of computing power (e.g. CPU cycles and memory) or software services (e.g. I look forward to working with you all in 2011! applications). Neira Jones We say: a new definition for an old concept. Head of Payment Security * as reported by UK Cards Association in March 2010.Payment Security Newsletter – Issue 1 – January 2011 Page 1
    • payment acceptance leading the way in secure payments Olympics 2012 Cybercrime on the rise? Olympics 2012 – are you prepared? With the construction of all the new main venues and Barclaycard top tips for a infrastructure for the London 2012 Games well underway, successful PCI DSS journey preparations are on track, but are you prepared for 2012? This may seem a strange question in a payment security Prepare for change newsletter, so let’s look at a few facts. On 18th October 2010, the UK Government published their National Security Strategy 1. Don’t treat PCI DSS as an IT project: which placed "Hostile attacks upon UK Cyberspace by other it is a Change Programme and states and large scale cyber crime" at the same level as needs organisational commitment. International Terrorism, and International Military threats. In 2. Train staff at all levels (there will be 2008, Beijing suffered 12 million cyber attacks per day during the various degrees of training, and Olympic Games. These games lasted for 16 days, the total don’t forget Board and Exco) and number of attacks: 192 million. The number of internet users was embed an Information Security estimated at 1.9 billion users in June 2010*, up 23% since 2008. culture within your organisation As the number of internet users increases we’re likely to see far early. (*) higher attack statistics every year. 3. Scope: Understand how card With about 500 days to go (and much less than that when we payments are currently processed consider that ticketing, bookings and merchandising will start as (people, process and technology). early as March 2011), the organised crime community is certainly Reduce the scope of the cardholder very busy. Organisations should start addressing their potential environment (the smaller, the easier) risks now, as well as advising their customers. 4. There will be quick wins derived by For those merchants out there still using non chip & PIN reviewing and changing business terminals, now is the time to update them… For those with online processes and historical practices shops, see our top tips on the right and next page, and our white that require little investment. If you paper on “Processing Online Payments Securely”: don’t need cardholder information, http://www.barclaycard.co.uk/business/documents/pdfs/proces don’t have it… sing_online_card_payments.pdf 5. Develop a gap analysis between So you’re ready to answer any customer queries on fraud, take current practices and what is a look at the newly launched www.financialfraudaction.org.uk necessary to become PCI DSS from Financial Fraud Action UK - the body which co-ordinates the compliant. The gap analysis and financial services industry’s fraud prevention activity. cardholder data flow mapping is the This new site covers a wide range of financial fraud issues and most important step (and this provides fraud prevention advice to will help you find what you should be refreshed periodically - need quickly and easily, including sections focused on once a year is advised). consumers, retailers, police and media. Also, coming soon to the site will be some interactive retailer training. (continued next page) Spread the word! * Note: see “resources” on the page 10 if *Source: Miniwatts Marketing Group, 2010 you need help with this.Payment Security Newsletter – Issue 1 – January 2011 Page 2
    • payment acceptance leading the way in secure payments Mobile devices Have you considered everything? Securing mobile devices Barclaycard top tips for a On 31st December 2010, the BBC announced that mobile calls and texts made on any GSM network can be eavesdropped successful PCI DSS journey (cont./.) using four cheap mobile phones and open source software (http://www.bbc.co.uk/news/technology-12094227). On the same day, The Register* announced that mobile malware Reduce Risk (dubbed Geinimi) is capable of stealing data from infected 6. Remove sensitive authentication Android smartphones appeared in China. This Trojan, which data storage as a top most priority. usually poses as a gaming app, has been uploaded onto third- 7. Prioritise Risk: once SAD storage is party Chinese Android app markets and sends, if installed, addressed, look at vulnerabilities in personal data to a remote server (specifically device identifiers, the Card Not Present environment location information and list of installed applications) (e-commerce and Mail Order/ (http://www.theregister.co.uk/2010/12/31/china_android_trojan/) Telephone Order). (This tip is for But phones are not the only mobile devices around, and when markets that have implemented looking at security you should equally consider: EMV in their face-to-face channel). • Full-featured mobile phones with functionality similar to 8. Outsource to compliant third parties personal computers, or “smartphones” where possible: in the e-comm • Laptops, netbooks, tablet computers and portable digital space, Level 1 PCI DSS compliant assistants (PDAs) end-to-end e-comm Software as a • Portable USB devices for storage (such as “thumb drives” and Service (SaaS) is increasingly seen MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and as a means of achieving compliance HSDPA/UMTS/EDGE/GPRS modem cards) quicker & maximising RoI. And if not • Digital cameras possible, tie down third parties (contractually). (*) • Radio frequency identification (RFID) and mobile RFID (M-RFID) devices for data storage, identification and asset management 9. Assess suitability of and implement • Infrared-enabled (IrDA) devices (printers, smart cards, etc.) risk mitigation technologies (e.g. Verified by Visa, Secure Code, Many of these devices enable employees to be away from the tokenisation, point-to-point office whilst having the convenience of all the office resources encryption, etc.), whilst these are through phone, e-mail and text by using wireless networks, with not PCI DSS requirements, they will many providing access to the Internet, company documents and improve security and reduce risk. drives, video/photographic and storage capability. So let’s not forget about security principles from the PCI DSS and focus on 10.If Compensating Controls are the following for all these devices: wireless network required ensure that all parties are requirements, encryption of data at rest and in transit, engaged to agree the controls authentication, anti-virus, etc. Of course, all of this must be before implementation (merchant, underpinned by a sound information security policy for mobile QSA, acquirers) devices and an effective staff awareness programme. Security in Finally, always work in partnership with your the mobile space is not just about mobile phones. acquirer and your QSA. For additional resources related to mobile devices, please see * Note: see “resources” on page 10 if www.isaca.org/mobiledevices you need help with this. * http://www.theregister.co.uk/Payment Security Newsletter – Issue 1 – January 2011 Page 3
    • payment acceptance leading the way in secure payments Technology Spotlight Navigating through the Cloud Maintaining a secure payments environment when the Optimising security and accepted boundaries of control and trust are changing compliance programmes On 27th January 2011, I‘m looking forward to presenting at PCI to reduce risk and deliver London on this topic. For those who can’t make it, here’s a quick business value summary of my presentation, following on from the introduction on the first page of this newsletter. 27th January 2011 The fact remains that Cloud Computing isn’t necessarily any Victoria Park Plaza Hotel more or any less secure than your current environment. But London SW1V 1EQ misconceptions are still abound, especially when it comes to security, and the limitations on cloud computing growth will PCI London provides critical advice for include issues of data custody, control, security, privacy, senior decision makers on how to jurisdiction and portability standards for data and code. ensure information security compliance Adopting Cloud Computing is a complex decision involving many and implement payment security best factors as it may include not only desktop applications, e-mail, practices in order to minimise collaboration and enterprise resource planning but potentially complexity, reduce risk, create value, any application. It’s therefore not surprising that enterprises are and keep costs low. Offering practical grappling with the dilemma of how to lose control gracefully insights on how best to protect whilst maintaining accountability when operational customers and payment data in a responsibilities for handling and securing their assets rests with constantly changing business one or more third parties environment, this event is specifically Cloud Implementation Considerations designed to help meet the challenges of There are many different cloud implementation considerations: a rapidly evolving landscape. PCI London is designed specifically for • Cloud deployment model - public vs. private deployments, professionals who are responsible for • Cloud location - internal vs. external hosting or combined, managing key functions within global • Cloud service models - Software as a Service (SaaS), Platform and national organisations that include as a Service (PaaS), Infrastructure as a Service (IaaS), banks, merchants and acquirers, such commonly referred to as SPI, as well as the emerging model of as information security, IT, risk, cloud service brokers. compliance, fraud, audit, QA, policy, and governance. This community Essentially, understanding the relationships between Cloud meeting brings together an exclusive Service Models is fundamental to understanding Cloud audience in order to discuss the most Computing security risks. IaaS is the foundation of all cloud efficient and cost effective solutions for services, with PaaS building on IaaS, and SaaS in turn building on overcoming the key security and PaaS. The key consideration for a security architecture is that the compliance challenges faced today. lower down the stack the cloud service provider stops, the more organisations will be responsible for managing and implementing security for their assets. For information and registration, please see http://www.pci-portal.com/pci-londonPayment Security Newsletter – Issue 1 – January 2011 Page 4
    • payment acceptance leading the way in secure payments Cloud Computing: Managing Risk This will be a challenging undertaking, as organisations will need to ask cloud services providers Categorise to disclose their security controls and how they are This means that organisations should adopt a risk- implemented to the “consuming” organisation, and based approach to moving to the cloud and “consuming” organisations will need to know which selecting security options i.e. what enterprise asset controls are needed to maintain the security of their (data or applications/functions/processes) is being information. Lack of thoroughness and transparency considered for a potential move to the cloud and at this stage can lead to detrimental outcomes. how sensitive is that asset? The first step in Cloud Architecture & Security determining a cloud migration “posture” is to categorise and evaluate the asset for It is critical that a cloud service is classified against the confidentiality, integrity and availability and how cloud architecture model, then against the security these will be affected if the asset is handled in the architecture, and then against the business, cloud. When it comes to cardholder information regulatory and other compliance requirements (which related assets (either cardholder data or payment essentially amounts to a gap analysis). In SaaS applications), the process is the same, and the PCI environments, the security controls and their scope DSS standard fits neatly with the security control are negotiated in the service contracts (SLAs, privacy, model to be applied to a cloud model. compliance, etc.). In and IaaS offering, the provider will be responsible for securing the underlying Asset Risk Classification infrastructure and abstraction layers, the consuming Once an understanding of the asset’s importance organisation will be responsible for the security of the is gained, the organisation should determine which remainder for the stack. PaaS service providers will be risks will be acceptable to their security posture in responsible for the security of the platform, whilst the the various deployment models (private, public, “consuming” organisations will be responsible for community, or hybrid) and hosting locations securing the applications developed against the (internal, external, or combined). This step enables platform as well as developing them securely (e.g. the organisation to map its security and risk OWASP Top 10 – see next page). requirements for the asset depending on how Data Flow Mapping (deployment models) and where (locations) the services will be deployed. When evaluating specific deployment options, organisations should map out the data flow between Control & Risk Management all consumers and providers (e.g. the organisation, the Once the asset has been classified and risk appetite cloud service, customers, other nodes, etc.). Before ascertained for cloud deployment and location, the making a final decision, it is essential to understand next step will be to focus on the degree of control whether, and how, data can move in and out of the and risk management the organisation will have for cloud in order to identify risk exposure points. each of the cloud service models. This is because, whilst the risk assessment depends on the “where” And finally… and “how” of the assets described in the previous By following a risk-based approach, organisations will paragraph, it also depends on the following: understand the importance of what they are • The types of assets being managed considering moving to the cloud, their risk tolerance • Who manages them and how (at least at a high level), and which combinations of deployment and service models are acceptable. They • Which controls are selected and why will also have a rough idea of potential exposure • What compliance issues need to be considered points for sensitive information and operations. The SPI Model I recommend the following two papers from the Cloud Risk mitigation should be considered for each of the Security Alliance: Security Guidance for Critical Areas SPI tiers (SaaS, PaaS, IaaS) as well as compliance of Focus in Cloud Computing v2.1 (December 2009) and regulatory requirements (e.g. PCI DSS, FSA, and Top Threats to Cloud Computing v1.0 (March SOX, etc.). At this stage, organisations will evaluate 2010) for their detailed analysis on which this article is and assess the risk for potential cloud service based. models and providers. http://www.cloudsecurityalliance.org/Research.htmlPayment Security Newsletter – Issue 1 – January 2011 Page 5
    • payment acceptance leading the way in secure payments Web application security Managing risks and developing secure web applications Web application security risks OWASP Top 10 OWASP Insecure software is already undermining our financial, retail, defence, energy and other critical infrastructure. As our digital infrastructure becomes interconnected and increasingly complex, the difficulty of achieving web application security The Open Web Application increases exponentially. We can no longer afford to tolerate Security Project relatively simple security problems like those presented in the OWASP Top 10. The OWASP Top 10 provides a The Top 10 project is referenced by many standards, books, powerful awareness document for web tools, and organizations, including PCI DSS. The OWASP Top 10 application security. It represents a was first released in 2003, with minor updates released in 2004 broad consensus about what the most and 2007. The 2010 release marks this project’s eighth year of critical web application security flaws raising awareness of the importance of application security risks. are. Project members include a variety of security experts from around the Barclaycard encourages its customers and partners to use the world who have shared their expertise Top 10 to get started with web application security. Developers to produce this list. can learn from the mistakes of other organisations. Executives should start thinking about how to manage the risk that software We urge all companies to adopt this applications create in their enterprise. The 2010 Top 10 web awareness document and start the application security risks are listed below: process of ensuring that their web applications do not contain these flaws. • A1 Injection Adopting the OWASP Top 10 is • A2 Cross-Site Scripting (XSS) perhaps the most effective first step • A3 Broken Authentication and Session Management towards changing the software • A4 Insecure Direct Object References development culture within an • A5 Cross-Site Request Forgery (CSRF) organisation into one that produces • A6 Security Misconfiguration (new in 2010) secure code. • A7 Insecure Cryptographic Storage Please help us make sure every • A8 Failure to Restrict URL Access developer in the ENTIRE WORLD • A9 Insufficient Transport Layer Protection knows about the OWASP Top 10 by helping to spread the word!!! • A10 Unvalidated Redirects and Forwards (new in 2010) As you do this, please emphasize: • OWASP is reaching out to It’s all about risk developers, not just the application The 2010 Top 10 Application Security Risks and their associated security community risk factors were determined based on the available statistics • The Top 10 is about managing risk, and the experience of the OWASP team. To understand these not just avoiding vulnerabilities risks for a particular application or organisation, you must consider your own specific threat agents and business impacts. For the 2010 release of the OWASP top 10: http://www.owasp.org/index.php/Top_10Payment Security Newsletter – Issue 1 – January 2011 Page 6
    • payment acceptance leading the way in secure payments From the card schemes What you should know Visa Europe 31st December 2012: Pre PCI-PEDs All pre PCI PEDs earlier than PCI PED version 1.x must be Risk mitigation replaced with Visa approved devices by 31st December 2012. Please note that PCI PED 1.x approved devices will expire on 30th April 2014 and PCI PED 2.x will expire on 30th April 2017 (expiry means that no new deployment of the devices are 3D Secure… allowed but like for like replacement is tolerated). Please check To improve your fraud to sales ratio in the PCI SSC site for your devices at the e-commerce space, think about https://www.pcisecuritystandards.org/approved_companies_pr authentication through 3D Secure. oviders/approved_pin_transaction_security.php As at September 2010, Verified by Visa 31st December 2012: Payment applications and PA DSS (VbV) penetration in the UK was 53.3% Acquirers must ensure merchants using payment applications and 90% of the UK VbV volume was fully that do not store sensitive data authentication must either be authenticated. This reduced the fraud to fully PCI DSS compliant or using a PA DSS compliant application. sales ratio on fully authenticated For a list of validated PA-DSS applications please see transaction to 0.08%, compared to https://www.pcisecuritystandards.org/approved_companies_pr 0.25% for non VbV traffic. oviders/validated_payment_applications.php Don’t forget that VbV protects MasterCard merchants against cardholders denying 30th June 2011: PCI Annual onsite assessment and ISA training making the purchase: all fully authenticated transactions benefit from • Level 1 merchants choosing to conduct an annual onsite the global liability shift and all merchant assessment using an internal auditor must ensure that primary ‘attempted’ transactions benefit from internal auditor staff engaged in validating PCI DSS compliance the global liability shift, except Inter- attend the PCI SSC ISA training and pass any PCI SSC Regional Commercial card transactions. associated accreditation program annually in order to continue to use internal auditors. The maths are clear! • Level 2 merchants choosing to complete an annual Self- assessment Questionnaire (SAQ) must ensure that staff engaged in the self-assessment attend the PCI SSC ISA training and pass any associated PCI SSC accreditation program Don’t forget annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at That payment applications that store their own discretion, complete an annual onsite assessment (or cause to be stored) sensitive conducted by a PCI SSC approved QSA rather than complete authentication data are not allowed. an annual self-assessment questionnaire. When integrating payment (Please see page 9 for ISA training dates) applications in your infrastructure, always check PA-DSS compliance. What’s on the horizon With cybercrime on the rise, you will not be surprised that the card schemes (and Barclaycard) will be focusing even more on reducing risk in the e-commerce space. Consequently, risk prioritisation & management remains on the agenda. Also expect some relaxation in the face-to-face channels for organisations that have deployed EMV terminals (aka Chip & PIN)…Payment Security Newsletter – Issue 1 – January 2011 Page 7
    • payment acceptance leading the way in secure payments PCI DSS Recap Round up 2010 As you’ll know by now, the PCI SSC released version 2.0 of both Did you know?... the PCI DSS and PA-DSS. Notably, the lifecycle has now been increased from 2 years to 3 years, which in our opinion denotes maturity. The theme for the new release was really clarification The compliance index rather than drastic change and this was welcomed by the industry. Also of particular note, the PCI SSC re-launched their From an analysis of our corporate and website (https://www.pcisecuritystandards.org/), and it is now mid-tier portfolio, we can confirm that much clearer and easier to navigate. The sub-site for small PCI DSS compliance is certainly moving merchants was particularly welcome! Check it out at the right way. As at January 2011, https://www.pcisecuritystandards.org/smb/ below is the shape of compliance by sector, so organisations can position And again, it’s all about risk… themselves against their peers: Undeniably, 2010 was also the year of risk prioritisation and this Change was evident at the PCI SSC community meetings and PCI SECTOR vs 11/ Compliance subsequent Card Scheme communications. Barclaycard has 2010 always been a proponent of risk prioritisation. Evidently, PCI DSS Hotels 50% = compliance does not equal security, which is why organisations Gaming 50% ↑↑ should identify their vulnerabilities and their impact to their assets. With the increase in cybercrime, Card-Not-Present risks Insurance 46% ↓ (e-commerce and MOTO) should be at the forefront of a security Retail 44% ↑ agenda. When the PCI SSC launched the risk-based approach in March 2009, with its reclassification of the PCI DSS requirements University 37% ↓ into 6 milestones, Barclaycard embraced it and developed Restaurants/ Pubs 34% = supporting tools to help its customers. Now that this approach has been in operation for a while, we can see many ways of Public sector 22% ↑↑ improving it. First of all, the SSC risk-based approach puts most Airlines 20% ↓ of requirement 12 in milestone 6 (therefore at the end of a programme). We firmly believe that all activities related to information security policies should start at the beginning of a Breach Statistics change programme (which PCI DSS should be). • Cybercrime affects all industries: top of the cost spectrum is information In addition to this, the SSC approach is a static one inasmuch as loss (42%) . (*) it gives a snapshot in time of the status of any given requirement. What is now needed, as the standard reaches • 73% of attacks are of simple or maturity (exemplified in v2.0), is a dynamic approach enabling average sophistication (default or the controls to be managed in real time by the persons directly shared credentials, SQL injections). (*) responsible for them. Furthermore, we believe that the security • 49% of CEOs are very confident or posture of any given organisation should not be just about PCI confident that their organisation will DSS, but also Data Protection and other security requirements not suffer a data breach within the to help reduce risk (for example use of 3D Secure). A toolset that next year. (*) would enable organisations to understand the key risks whilst identifying non-compliant areas and monitoring progress can * see “Resources” on page 10 only streamline the process of moving a change programme into business as usual. We fully support this and will work with the PCI SSC and card schemes this year to further this approach.Payment Security Newsletter – Issue 1 – January 2011 Page 8
    • payment acceptance leading the way in secure payments Upcoming events What’s happening in 2011 Q1 2011 27th January: PCI London (see page 4 inset) 6th February: European Card Acquiring Forum, Berlin, Germany From our partners As proud winners of two ECAF awards in 2010 for Data Security (PCI DSS) and Channel (for contactless technology), Barclaycard is hoping that this year’s conference will be as successful! Semafone http://www.europeancardacquiring.com/ We are pleased to announce that 16th-17th February: PCI SSC ISA Training, San Francisco, USA. Semafone (Product of the Year at the 9th-10th March: PCI SSC ISA Training, London, England. Call Centre Awards 2010) have gained We advise L1-2 merchants to consider this training, especially in PA-DSS accreditation from the PCI view of the MasterCard mandate. SSC. They will be listed imminently. For https://www.pcisecuritystandards.org/training/training_calendar. more information about Semafone, php please see http://www.semafone.com/ 1st-2nd March: Technology for Marketing & Advertising, London Worried about PCI DSS and call Barclaycard will be presenting at this event recordings? http://www.t-f-m.co.uk Please see our white paper at 11th March 2011: PCI SSC – PCI Awareness Training, London, http://www.barclaycard.co.uk/business England. Please note, this is not the ISA training. /documents/pdfs/processing_telephon https://www.pcisecuritystandards.org/training/non_certification_ e_payments.pdf training.php#schedule 29th March: Safe & Sound Barclaycard/ IRM Quarterly event, London. “How compliant do you want to be?” Details TBC The Logic Group Q2 2011 Despite severe weather conditions at 7th April: Barclaycard/ 7Safe quarterly event, London. the end of November 2010 The Logic 19th-21st April: Infosecurity Europe 2011, London Group Secure Payment Forum events Barclaycard will be presenting at this event. in London and Birmingham went ahead http://www.infosec.co.uk/page.cfm/Link=687 to demonstrate new solutions including TBC April: Barclaycard webinar for hotels (PCI and DCC) point-to-point encryption and 28th May: Barclaycard Restaurants & Hotels Customer Forum, tokenisation to help merchants London, Vinopolis increase their security. For information 23rd June: SC Magazines Mobile Device Management on future events and downloads of conference, London. Barclaycard will be presenting at this event. previous presentations, please see http://haymarketevents.com/conferenceDetail/536 http://www.the-logic- group.co.uk/Events/ 28th June: Safe & Sound Barclaycard/ IRM Quarterly event, London. Details TBC When assessing encryption solutions, TBC June: Barclaycard Financial Services Customer Forum, please see the Visa guidelines at London, http://www.visaeurope.com/en/busines ses__retailers/payment_security/idoc.a Q3 2011 shx?docid=a06621cc-9666-4ccd-9045- TBC July: Barclaycard Retail Forum ecec84c7a94c&version=-1 7th July: Barclaycard/ 7Safe quarterly event, London. Details TBC 13th September: Safe & Sound Barclaycard/ IRM Quarterly event, London. Details TBC.Payment Security Newsletter – Issue 1 – January 2011 Page 9
    • payment acceptance leading the way in secure payments Resources Where to find more information Training your staff We have been asked many times to provide some guidance on Creating a secure culture how PCI DSS training should be approached (see top tips on page 2-3). For large organisations, this may pose a challenge. Layered approaches are usually the best, starting for the Board It is imperative that organisations and C Level executives (Financials, RoI, Risk Management, understand the need to instil a security Governance), Middle Management (what it means to them). Then culture from top to bottom, and that you need to have generic staff training, which is generally best payment security is not just an IT issue or deployed through computer based training with a yearly ‘tick box’ exercise. Training is a vital aspect assessment (this allows you to reach the whole organisation). in achieving and maintaining the necessary There will also need to be specific training for staff coming into changes in thinking and behaviours that contact with cardholder information. Barclaycard have produced are required for any successful payment a PowerPoint pack that businesses can customise for their own security programme. purposes. If you’d like a copy, please email Get involved PCIDSS.Guide@barclaycard.co.uk To contribute to the development of the PCI standards, we recommend you become a participating organisation (PO) with the PCI Where to find PCI DSS compliant L1 Service providers SSC. POs will be able to contribute to Visa Europe: Special Interest Groups (SIGs): http://www.visaeurope.com/en/businesses__retailers/payment_ • Pre-authorisation security/idoc.ashx?docid=722c1918-ee68-4283-a701- • Scoping (incl. Encryption, Tokenisation, 6b473c2c1cdd&version=-1 Scoping & EMV) – chaired by Barclaycard. • Virtualisation MasterCard: • Wireless http://www.mastercard.com/us/sdp/serviceproviders/compliant_ To join a SIG or propose a new SIG, please serviceprovider.html contact sigs@pcisecuritystandards.org or see https://www.pcisecuritystandards.org/org Do you need help with PCI DSS contractual clauses? anization_info/special_interest_groups.php In our top tips on page 3, we advise businesses to make PCI DSS More on breach statistics contractual provisions with their third parties (PCI DSS For more information from the inset on requirement 12.8.2). If you would like a copy of our 3 page page 8, please see the following reports: sample contract addendum, please email From the Ponemon Institute at PCIDSS.Guide@barclaycard.co.uk http://www.ponemon.org/data-security • Business Case for Data Protection, 03/10 • 2010 Global Cost of a Data Breach, 04/10 Risk Matrix for e-commerce deployments • First Annual Cost of Cybercrime Study, Top tip number 8 on page 3 mentions SaaS. If you’d like to see 07/10 the risk scoring matrix of the different types of deployment for From 7Safe at payment pages, please see our white paper: http://www.7safe.com/breach_report/ http://www.barclaycard.co.uk/business/documents/pdfs/proces • UK Security Breach Investigations Report sing_online_card_payments.pdf 2010Payment Security Newsletter – Issue 1 – January 2011 Page 10
    • payment acceptance leading the way in secure payments E-commerce solutions from Barclaycard Barclaycard’s payment page for SMEs ePDQ has remained PCI DSS compliant since 2007. Our new offering, SmartPay launched Terminal news in November 2010 for large corporate and multi-national organisations is also PCI DSS compliant. For more information, please see http://www.barclaycard.co.uk/business/accepting- payments/epdq-cpi/ and http://www.barclaycard.com/smartpay Introducing Fraud Reporter For online and face-to-face payments Barclaycard can provide you with daily reports, confirming fraudulent transactions, as Mobile terminals on the move reported by Visa and MasterCard in the last 24 hours. We can also Planning to sell at a trade fair, festival or provide you with sector and UK fraud intelligence. Key features sales events? Worried about having to include: handle lots of cash or not being able to • Fraud attack identification to stop goods & services being accept payments from customers only carrying cards? With a mobile Chip and PIN dispatched to fraudsters in near real time. device from 123 Hire, you’ll be able to • Advance notice of potential chargebacks giving more time to accept card payments for a short time investigate and prepare a defence. away from business premises & maximise • And more useful analysis tools to give you increased visibility your sales. into fraud attacks… To hire a mobile Chip & PIN device, Barclaycard customers can call 123 HIRE For more information please contact Dave Moore at on 0800 074 1123 or e-mail david.moore@barclaycard.co.uk barclaycard@123hire.net Meet the team Advertising on terminal till rolls They help you through your compliance journey with payment Barclaycard customers now have the security advice, meet the Barclaycard Payment Security team: opportunity to advertise their business on the reverse of terminal till rolls. This service is provided by UK Paper Rolls, Barclaycard’s approved supplier. One colour branding is free and details of this service can be obtained by calling UK Paper Rolls on 0844 822 2044 or at www.pdqconsumables.com Barclaycard customers can email them at PCI.TaskForce@barclaycard.co.ukPayment Security Newsletter – Issue 1 – January 2011 Page 11
    • payment acceptance leading the way in secure payments Have your say What did you think? We would like this newsletter to be as relevant and topical as Last words… possible, and for this we need your help! Please give us your thoughts on what you liked and what you didn’t like and how we can improve, and if the structure works. Quote of the day… Security isn’t something that you buy; What would you like to hear about? it’s something that you do. We have a lot of topics we would like to talk to you about in the New chair of PCI SSC next edition, these include: The Council announced the appointment • More on cloud computing and perhaps go a bit deeper on SaaS of its new chairperson. Eduardo Perez, implementations in real life head of global payment system security, • More on risk prioritisation tools Visa, Inc., will succeed Bruce Rutherford of • Governance, Risk and Controls (GRC) MasterCard Worldwide in this leadership position in 2011. • SIEM (Security Information and Event Management) As chairperson, Eduardo will work with the • Encryption and tokenisation Councils Board of Advisors, Participating Please let us know if you have particular areas of interest which Organisations, assessor community and you would like to see covered. merchants globally to increase awareness and education around the PCI Security Standards, as well as to promote the importance of protecting cardholder data. And finally… All that remains for me to say is that I hope you enjoyed our PCI SSC Board of Advisors newsletter and found it of some use. Please let us know what We need your ballot! you think about it, either by emailing PCIDSS.Guide@barclaycard.co.uk or me directly at Now that the current PCI SSC Board of Advisors has been in operation for two neira.jones@barclaycard.co.uk years, the PCI SSC will soon be starting the Wishing you a Happy and Secure 2011! election process for its new BoA. Neira Jones Barclaycard has been a member of the BoA for the past two years and in that short period of time, we have been able to represent our customers and pursue some important issues directly with the SSC. Barclaycard | Global Payment Acceptance It is Barclaycard’s intention to stand for re- 1234 Pavilion Drive | Northampton | NN4 7SG election in 2011 and we ask our customers http://www.barclaycard.co.uk/pcidss and partners to vote for us! The elections are not yet open, but we will communicate Telephone +44 (0)1604 252651 the schedule in due course. We hope we can count on your vote!Payment Security Newsletter – Issue 1 – January 2011 Page 12