PCI SSC: Effective Daily Log Monitoring

PCI SSC: ‘Effective Daily Log Monitoring Supplement’ – They Missed Again

The SSC released their Information Supplement ‘Effective Daily Log Monitoring‘ in MAY, and I’m only just hearing about it now! Either I’m completely out of the loop (not being a QSA) or the SSC did a very poor job PR-ing it.

I think I understand which it is now that I’ve read it.

Anyway, despite the blatant oxymoron in the document’s title, and my own predisposition toward negative bias where the SSC is concerned, I was still hoping to be pleasantly surprised.

I wasn’t, but nor was I as horrified as I have been while reading output from other SIGs.

It’s actually a really good beginner’s guide to logging, but it’s completely unsupported by the DSS in its current form. And it’s not just me looking for faults, they have not put logging into a proper, or even accurate, context to the DSS requirements as written. With their knowledge of best practice, they basically made the rookie mistake of assuming requirements mean more than they do.

To be clear; If it’s not specifically spelled out in the standard, it is not mandatory. Period / full stop. Even if it’s the right thing to do.

For example: There is no requirement for any automated alerting. Not from firewalls, not from A/V, not from IDS, not from FIM, and not from ‘system components’ like servers and applications. So the statement; “The PCI DSS recognizes the importance of proactive monitoring of security logs in the detection of attacks on information assets and the protection of those assets from compromise.” is inaccurate. The SSC might recognise the importance of pro-active monitoring, the SIG’s participants clearly do, but the DSS only recognises the need for what amounts to forensic evidence. Nothing more.

The DSS uses the word ‘alert’ in only 6 relevant Requirements:

  • 6.6  For public-facing web applications, ensure that either one of the following methods is in place as follows:

• Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows:

– Is configured to either block web-based attacks, or generate an alert that is immediately investigated.” – [Alerts are non-mandatory, and can be manually generated.]

  • 10.5.5  Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).” – [No time-period defined, so you have to assume weekly like 11.5, or at most daily like 10.6. Alerts can be manualy generated.]
    o
  • 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.

Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.” – [Non-mandatory]

  • 11.1.d  If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel.” – [Non-mandatory, and/or no time-period defined.]
    o
  • 11.4  Use intrusion-detection systems and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.” – [Alert how? Automatically or during a daily review?]
    o
  • 11.5  Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.” – [Weekly notification, so clearly does not require automation.]

So if there’s no requirement for automatically generated alerts, and daily is the maximum defined review timeframe, how can they possibly insist on 24/7 availability related to Incident Response (DSS Req. 12.10.3)? Who is going to choose 2AM for their daily review?

Even the SIG makes the statement; “Without automated alerting mechanisms, it is almost impossible to identify and alert about such events in near real-time.“. In other words, in time to actually do something about it before it gets out of hand.

But I thought this was about effective DAILY log monitoring?

So All In All…

The thing that still confuses me most, is that the DSS is full of mandatory technologies, but a manual and daily review of logs is still OK?! Not one technology in the DSS is required to be utilised properly, and some have significantly less benefit than a Security Incident & Event Management (SIEM) or an equivalent managed service:

  • why require firewalls and routers then don’t mandate review of the traffic logs?
  • why require an asset database, but not an asset management system on which every other security processes can rely?
  • anti-malware is based on signatures so is all but useless
  • intrusion detection is pointless unless the entire infrastructure is baselined to a known-good
  • …and so on.

So of ALL requirements, how can centralised logging and automated alerts not be mandatory?

This post in already too long, and I’ve barely begun to scratch to surface of why logging and monitoring is so important.

There’s no escaping that the document name; ‘Effective Daily Log Monitoring‘ is misleading, it should be called the ‘We Cannot Tell You to Buy a SIEM, But Good Luck Getting Compliant Without One‘. Basically the SSC has all but admitted that the logging and monitoring requirements are completely inadequate, but can think of no way to change them in the DSS. Not without pissing off a lot of people anyway.

Finally, it IS  a good document, worth a read, and kudos to the authors. Unfortunately it’s guidance is meaningless to those without the means to perform anything other than manual daily reviews.

Bonus Material

If you’re interested, I have provided some additional thoughts in my own Logging Supplement document. There are 3 sections:

  1. Breakdown of Existing DSS Logging & Alerting (Non-Server) – There are 5 DSS requirements outside of the established logging and alerting requirements, and are ambiguous at best. They are also not covered appropriately in the SSC’s Supplement.
    o
  2. Missing from the DSS – The SSC’s Supplement did not cover daily review appropriately, nor did then then go far enough to cover appropriate automation. This section covers a few of the major benefits of logging and monitoring properly.
    o
  3. Automating the Daily Review – There are only three processes required to automate the daily review, but it cannot be done without centralised logging and scripting skills, a managed service, or a SIEM.

[If you liked this article, please share! Want more like it, subscribe!]

Visa Europe's New Fine Structure

Visa Europe’s New Fine Structure – Can YOU Afford €500K?

[Disclaimer: The following is based on information received from a single acquirer, and I have been unable to corroborate any of this from other sources.]

Have you seen Visa Europe’s new fine structure for cardholder data breaches? Can you afford THAT kind of loss? More importantly; Are you really PCI compliant, or did you just fake your way through a Self Assessment Questionnaire (SAQ)?

In case you weren’t aware, the fines for a breach are levied against the results of the mandatory forensics investigation, not just your self-assessment status. Anyone caught lying on a self-assessment attracts the maximum fines, and rightfully so.

OK, full disclosure on the title, I did go straight into a worst case scenario, but would you read about PCI otherwise? If you’re like 99% of the people I’ve ever had as PCI clients, you care nothing about PCI compliance per se.  Other than wanting it to just go away of course. Historically, even threats of fines have done little to motivate organisation to take PCI seriously.

Until now perhaps.

But first, believe it or not,  some good news!; “Assessments levied for non-progressions and portfolio targets have been withdrawn.” – in other words, there will no longer be Visa Europe-defined fines for non-compliance. This is not to say your ACQUIRER can’t fine you, but Visa has only ramped-up the fines in the back-end.

In this case, the ‘back-end’ means you’ve been breached, and there is now a whole host of things you have have to take into account to work out your potential losses:

  1. The loss of 1 PAN & CVV attracts a fine of €18.
  2. There is a €3,000 ‘Account Data Compromise (ADC) Management Fee’ imposed on all breaches.
  3. For penalties over €100,000, the fines can be capped at “5% of the merchant’s Visa gross annual purchase volume in 12 months prior to the initial notification.” I assume this is entirely discretionary and weighed against the egregiousness of the non-compliance.
  4. Did the acquirer correctly report the merchant’s compliance status? – Even is the status is non-compliant, there is a 25% reduction in fines for correct reporting.
  5. Are the ‘majority’ of the merchant’s transactions authentication with Verified-by-Visa (VbV) – 50% reduction in fines if yes.

ADC Scenarios:

  1.  Non-compliant Level 4 Merchant puts 1,000 PAN and CVV2 numbers at risk – Acquirer correctly reported compliance status, and VbV is in place;
    o

    PAN & CVV 1000 x €18: € 18,000.00
    Compliance Reductions @ 25%: -€ 4,500.00
    Sub Total:  € 13,500.00 
    VbV Reduction: -€ 6,750.00
    Sub Total:  € 6,750.00 
    ADC Management: € 3,000.00
    Cap Applied: N/A
    Grand Total:  € 9,750.00 

    o

  2. ‘Compliant’ Level 3 Merchant puts 5,000 PAN and CVV2 numbers at risk – Acquirer incorrectly reported compliance status, and VbV is not in place;
    o

    PAN & CVV 5,000 x €18: € 90,000.00
    Compliance Reductions @ 25%: € 0.00
    Sub Total:  € 90,000.00 
    VbV Reduction: € 0.00
    Sub Total:  € 90,000.00 
    ADC Management: € 3,000.00
    Cap Applied: € 25,000.00
    Grand Total:  € 28,000.00 

    o

  3. Non-compliant Level 2 Merchant puts 75,000 PAN and CVV2 numbers at risk – Acquirer correctly reported compliance status, and VbV is in place. No penalty cap applied;
    o

    PAN & CVV 75,000 x €18: € 1,350,000.00
    Compliance Reductions @ 25%: -€ 337,500.00
    Sub Total:  € 1,012,500.00 
    VbV Reduction: -€ 506,250.00
    Sub Total:  € 506,250.00
    ADC Management: € 3,000.00
    Cap Applied: N/A
    Grand Total:  € 509,250.00

Conclusion:

Will Visa Europe’s new fine structure get merchants moving towards compliance? I seriously doubt it. Frankly nothing will get them moving unless the CEO / BoD see these fines as a legitimate business risk instead of a worst case scenario. And what are the chances of that when the cost of properly securing cardholder negatively impacts the quarterly numbers?

Fining for non-compliance was stupid anyway. It basically forced merchants to just lie on their SAQs and do nothing to actually reduce the risk. Huge fines for a breach is arguably a more appropriate way of punishing those who egregiously ignored the standard. But it’s still after the fact.

But what if the card schemes actually provided INCENTIVE for achieving [and appropriately demonstrating] compliance? Reduced interchange rates perhaps? Financial incentive to adopt their increasingly desperate ‘innovations’ maybe? Wouldn’t THAT be something.

[If you liked this article, please share! Want more like it, subscribe!]

Change Your QSA

Too Scared to Change Your QSA?

Or perhaps the question should be; “Can’t be bothered to change your QSA?

Or an even worse scenario; you know you can’t change your QSA because the new one might discover things you’ve been hiding from the last one!

I can almost empathise with the first two, but if it’s the third scenario you deserve the bad things that will happen when you get breached.

The fact is, if you have been working with a good QSA, not one of the challenges I list below will apply to you, Changing QSAs, or even QSA companies will not be an issue. You will have been doing security properly, and not just faking compliance.

Challenges:

A significant number of organisations are faced with at least 1 of these 5 main challenges;

  1. Lack of Continuity – Employee attrition is inevitable. QSAs have historically bounced from one QSA company to the next following the money. Which has been abundant for almost a decade now. This has left many clients in the unfortunate position of having to start all over again with another QSA. Often one who has received little to no hand-over.
    o
  2. Lack of Guidance – This is the QSA’s only real job. Other than writing the second half of the Report on Compliance, ALL of the remediation work belongs to the client. The role of the QSA is to ensure that the client NEVER hits a roadblock. QSAs are supposed to have ‘been-there-done-that’, so “What’s next?” should never be a question the client has to ask.
    o
  3. Inconsistent Opinions – Every security consultant has a different skill-set. Some are network wizards, others know encryption, most should be very familiar with policies and procedures. What happens when your last QSA agreed something that your current QSA won’t accept? Who is accountable for the loss of resource and/or capital cost?
    o
  4. Starting Over Again Every Year – Too many  QSAs are ‘just QSAs‘, with little experience or capability in fitting PCI into sustainable security processes. If your PCI compliance looks like an annual project, it is. Validation of compliance should be a simple process that should fit neatly into your BAU program. If it doesn’t, there’s a very good chance your QSA is at least partially to blame.
    o
  5. Black-Hole Communications – If you expect your QSA to be a project manager, you have completely misunderstood the dynamic. But if you expect them to respond to emails requesting guidance in a timely fashion, you should. A QSA is there to tell you everything you have to do to achieve compliance, that’s their job, they must be readily available.

Mitigation:

OK, so those are all the bad things, how do you fix them? Easy, choose the right QSA in the first place!

Facetious yes, and likely a moot point, but it’s never too late to change:

  1. For Lack of Continuity – All good QSAs have a methodology; Have you seen it? Does you QSA even have one? If the answer is no, you don’t have a good QSA. Continuity is simple, it just requires discipline, and a plan.
    o
  2. For Lack of Guidance – As stated above, this is the QSA’s only purpose, if they can’t provide it, find someone who can. Interview your QSA(s) before letting them onsite, but have your questions prepared. Insist on having access to QSAs suitably qualified in ALL 12 DSS Requirements. You’ll never find this in a single QSA, unless it’s one of the 3 that I know that come close (I’m not one of them).
    o
  3. For Inconsistent Opinions – Agree a process whereby the QSA company accepts mitigation plans or compensating controls, not individual QSAs. Agree, in writing, that ALL QSAs they send will accept a company approved option.
    o
  4. For Starting All Over Again – This is as much your fault as the theirs. If you had a security program in place that appropriately covered your business, PCI would fit into it, not the other way around.
    o
  5. Black-Hole Communications – Vendor Due Diligence + Service Level Agreements + Vendor Management. Period / Full Stop.

Changing QSAs every few years is a best practice, you should ALWAYS want fresh eyes on such a critical process. If changing your QSA is too difficult or inconvenient, it says a lot about both your current QSA, and your organisation’s attitude toward security;

They both leave a lot to be desired.

Here’s some old guidance I threw together a while back; Selecting the Right QSA for Your Business

Like this Article? Don’t forget to subscribe!

National Retail Federation (NRF), Why They SHOULD Hate PCI

In a recent CSO Online article; “The National Retail Federation is dead wrong about PCI“, the author made, in my opinion, one the most reprehensible defences of PCI I’ve ever seen. Even the SSC have not been so bold as to make these kinds of off-the-mark and clearly self-serving assertions.

After an innocuous 2 paragraph preamble, the author(s) state;

Despite NRF assertions to the contrary, the payment card industry has asserted that their card security standards are voluntary. Merchants have a definite choice if they want to accept credit and debit cards or not. It’s quite safe to say if retail establishments couldn’t accept payment cards; most would see massive sales reductions, and a large number would simply go out of business.

How can he possibly say that merchants have a choice, when he says it himself that most would see “massive sales reductions”!? Call that a choice!? That’s right up there with ‘face or gut?’!

The fact remains that the card brands STILL have merchants by the short-and-curlies when it comes to non-cash payments. You only have to look at the anti-competition or unfair business practice suits that card brands have had to fight over the years to see how distastefully are their business practices perceived.

And quite frankly, this all shows a complete lack of understanding of the NRF’s main issue; They don’t CARE how they receive payment, payments are NOT core to their business. Being paid for their product / services is.

The author goes on to say;

Given the significance of payment cards, we would have expected the NRF to be at the forefront of PCI advocacy and compliance. Yet the reality is that they have an extremely disdainful view towards PCI.

Seriously? Ask me to pick up the cost of fixing your crappy service and I’ll be equally ‘disdainful’. Sod that, I’d be thoroughly pissed-off, but I still wouldn’t have a choice, not if I wanted to stay in business.

The NRF have every right to expect the card brands to do something more appropriate, THEY are the ones providing the service and THEY (and their associated middle-men) are the ones who’ve made billions through merchant transactions over the course of 50+ years.

But it’s the merchants who are the ones who are paying the interchange rates. And it’s the merchants who have to spend billions on infrastructures that do absolutely NOTHING to help them improve their customer’s shopping experience.

Guess who pays for this in the end? Yep, us, the consumers.

As I have written (or at least allude to) many times in the past, the very technology behind payment cards is past its usefulness. Anyone trying to prolong this ancient, inherently insecure, and zero-value-add technology clearly has a vested interest in doing so. Card Brands, Issuers, Acquirers, Payment Service Providers (PSPs), and Terminal Manufacturers are obvious stakeholders. However, QSA companies exist to a large degree on the budgets that PCI compliance extorts. Call them PCI War Profiteers if you wish, I’ve heard worse, and I have also benefited.

In the card brand’s defence, they have done a truly astonishing job over the course of 5 decades in bringing trust into non-cash payments. That’s what their logos are; a symbol of trust. The next generation of payment providers owe them an enormous debt of gratitude. That said, we didn’t keep horses around because we felt sorry for the ferriers, we jumped head first into the automobile.

Mobile phones are now more ubiquitous, and can be infinitely more secure and ‘value-add’ than branded plastic (even while tokenised in ‘[X] Pay’ services). All we need now are the banks to get their acts together and provide the trust and there will be little need for the innumerable middle-men.

Which brings me to my final point on the article; yes the NRF and all other retail associations have the right to be angry, but they have done next to nothing to help themselves. They played a game whose rules were set by the card brands and used none of their extraordinary power and influence to tip the balance in their favour.

For example, I have estimated that the Top 10 retailers in the US alone account for almost 1 TRILLION USD in branded transactions. If we assume an average of 1.75% interchange, that’s 1.75 BILLION in fees the retailers have paid to ‘middle-men’. How much influence would you exert over those middle-men if it was your business?

So in summary;

QSA Companies: Keep your opinions of retail to yourselves, your self-serving diatribes are inappropriate. Serve your clients, don’t brown-nose the brands.

Card Schemes/Issuers/Acquirers: Use your incredible knowledge and combined talent-pool to lead the way in the removal of plastic, and therefore the need for PCI. It’s time to move on.

Retailers: Put aside your differences, stop bitching to the wrong people in the wrong way, and do something useful with your power. Focus on what you WANT, not want you DON’T want.

All of this boils down to one thing; what do consumers want? Most have no idea, but I do, as do thousands of others like me. Ask us.

…and it had better not involve yet another piece of plastic.

Running PCI as an Agile Project?

First, I have only been ‘doing’ Agile stuff for a little over 2 weeks, so this will be less about project management and more about how achieving PCI compliance should be done. Or or this case, could be done …potentially …unless I’m completely off the mark.

Like any project, PCI is just a whole bunch of action items, assigned to an individual, with a due date. That’s it. Unlike frameworks such as ISO 27001, PCI is written down for you, so it makes sense that a methodology like Agile would be well suited to keep a PCI project moving.

The reason that PCI compliance is so difficult for a lot of organisations, is that regardless of the seeming simplicity, determining what those actions ARE, or which to start first, or even knowing when to stop, can be more of an art form that a science. This is why there are so few good QSAs, as they are the ones who are supposed to be providing the guidance on every question you may have, even before you know enough to ask them.

We’ll leave, budget, resources, and having having management who give a crap aside.

So, if you agree that because the DSS is written down for you that you can determine the list of action items required to validate compliance WELL before you begin, then my theory makes a little more sense.

For example; for every operating system you have, the DSS requirements and the actions items are very clear:

  1. Requirement 2: Have a configuration standard, show evidence that your systems follow it
  2. Requirement 5: Have AV, show evidence that it’s running, or have a compensating control
  3. Requirement 6: Document your vulnerability management process, show evidence that your servers are patched accordingly
  4. Requirement 7: Have some form of LDAP, show evidence that access control lists are enforced accordingly
  5. Requirement 8: Extension of Req 7., show authentication and ID management are enforced
  6. Requirement 10: Turn logging on, demonstrate that your SIEM is reacting accordingly, and that all times are synched
  7. Requirement 11: Have FIM, show that’s running

So for an Agile project, you just create a series of issues in the backlog that correspond to the above, and duplicate EVERY issue for all subsequent operating systems in your environment. Simple huh?

And you don’t need a dedicated project manager, just a scrum master who can run all of the daily stand-ups and bi-weekly / monthly sprints. Of course, getting all of the action items right will take a significant PCI expertise, but once this is done for your environment, there’s really no excuse for a stalled project.

The benefits seem to be;

  1. The level of effort required to achieve compliance is obvious very quickly, so resources can be applied in the most efficient manner
  2. Those not pulling their weight become obvious to everyone from the very first sprint, and a determination of anything from individual employee overload to utter incompetence can be determined
  3. You have to think about PCI in the only way that makes sense, and keeps things moving forward; bite-sized chunks of action items
  4. Workloads can be spread around, with current print tasks reassigned to those with more available time
  5. The process becomes repeatable when every action is recorded during the project’s lifecycle.

Anyone who’s ever seen a PCI project drag on for years, or had people on whom you were dependant make excuse after excuse for months on end, something like Agile could be the edge you’re looking for.

Unless I’ve completely missed the point.