PCI: Your eCommerce Web Sites Are In Scope

“Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.”

We now anticipate that many small merchants will find their web sites in scope for PCI compliance under PCI DSS v3.

We wrote earlier this year concerning the potential for scope changes brought about by PCI DSS v3. Now that the official v3 SAQ documents have been published, it is becoming clearer what the impact of these scope changes will be.

If you were a self-assessment merchant validating under SAQ A, you now have two possible SAQ routes.  Which SAQ is applicable hinges on the use of redirection, as opposed to third party hosting of the entire web payment solution.

  1. For e-commerce only merchants redirecting to a third party payment gateway, the new SAQ A-EP is now applicable. This puts previously out-of-scope web servers in-scope, along with a range of PCI requirements from all 12 sections.
  2. For card not present merchants using a third party hosted solution (i.e. you don’t redirect, and the entire payment and web solution is hosted by the compliant payment service provider) then SAQ A is applicable. This is largely the same as the v2, minimal SAQ A.

The upshot is, if you redirect to a payment page, your source web servers (and any other applicable components) are in scope for a wide range of PCI DSS requirements. If you want to avoid this, then your entire payment web site/solution (not just the payment page) needs to be hosted by a compliant payment service provider.

Any other combination of payment channels that include eCommerce will simply default to SAQ D.

Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.

Download our SAQ v3 applicability summary here.

Apple_gray_logo

Apple Secure Coding Guide

We note that Apple has just released a document entitled “Secure Coding Guide” and it covers OSX and iOS development.

From the intro:

“Secure coding is important for all software; if you write any code that runs on Macintosh computers or on iOS devices, from scripts for your own use to commercial software applications, you should be familiar with the information in this document.”

Read or download the document from here.

Recovering from a Hacking Incident: A Guide

By Andrew Lisa

Getting hacked is never fun, all too common, and never 100 percent preventable. Hackers can impersonate you, damage your online reputation, or steal your money. In the event that it happens to you – and it’s very likely that it may – the actions you take in the immediate aftermath will determine how harmful the attack will ultimately be.

Follow this guide to recovering from being hacked.

Security Story - Recovering from a Hacking Incident Pic 1
If you’ve been hacked, change your password immediately.

Change Your Password

Whether it’s your email, your Facebook, or any other account that has a password, the first thing you need to do is stop the bleeding by changing that password. As soon as you change your password, the damage will usually be contained.

If you use the same password for multiple accounts, change those passwords as well. If a hacker has accessed your email, it’s likely he or she will try the same password to access any other account associated with you. The reason for this is that so many of us use the same password for everything.

Report the Incident

If you were hacked, tell the host application. This is important for them, for you, and for future victims. It may never lead to the perpetrator being revealed or punished, but it can help program developers create safer software. There is no central agency that handles hacking reports, but virtually every major email provider, bank, social media site, etc. has a specific department to report to. If your Facebook is hacked, for instance, visit www.facebook.com/hacked.

Clean Your Machine

The only sure way to guarantee your computer is totally free of any traces of malware, viruses, or Trojan horses left behind is to totally start over by reformatting your hard drive. This will, of course, result in total data loss.

If you’re not willing to go that far, make sure to get the latest updates and security patches for both your operating system and for any web browser you use. Obviously run a thorough scan through your security suite, but don’t presume that it will necessarily root out the problem – it didn’t this time, after all. If your security software is not set to auto update, make sure that it is.

Remove Permissions

A smart hacker will anticipate your password change and install “back doors” through which they can re-enter. One of the best ways to shut these back doors down is to remove permissions with any associated app that allows third parties to access your account.

Many of the most popular programs, such as Google, Facebook, Twitter, and Dropbox support oAuth, which allows outside apps to access your API without secure access information. This is convenient, but dangerous.

Once you’ve dealt with the intrusion, be sure to shut down any back doors though which a hacker could re-enter.

If your friends are getting weird emails from you telling them to follow links for great deals on sunglasses, you’ve been hacked – and you have to act right away. Doing nothing is always the worst option. Act fast and try to think in a big-picture way that takes all your accounts into consideration. You’d better believe the hacker is doing the same thing.

Andrew Lisa is a freelance writer living in Los Angeles. He writes about online security and preventing digital crime.

PCI: Web Redirection Servers In Scope?

It is possible that web applications previously considered out-of-scope for PCI DSS could now be in-scope under PCI DSS v3. The impact of this could be significant depending on your existing card data environment (CDE).

It has long been accepted practice that any component that stores, processes or transmits cardholder data is in scope for PCI compliance. Therefore, web applications that only redirect to 3rd party payment gateways are not usually considered in scope, as they do not store, process or transmit cardholder data, nor are they directly connected to such a system.

From a security perspective, this has been a bit of a blind-spot within the PCI DSS. What if the source payment application is compromised in some way? Could this affect the redirection, perhaps tricking the user in to visiting a fraudulent payment page?

This presented a challenge to both QSA and the entity being assessed. A summary of our usual advice is encapsulated as follows:

Should the application doing the redirection be in scope?  Yes.
Must the application doing the redirection be in scope?  No.

And so this uneasy balance of security and compliance went on. Until that is, a closer inspection of wording in the new PCI DSS v3. On page 10, “Scope of PCI DSS Requirements”, there are examples of the kinds of system components that could be considered in scope for assessment (our emphasis):

“Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or
may impact the security of (for example, name resolution or web redirection servers) the CDE
.

There are also further references to “redirection servers” in requirement 10.6, which covers the review of system logs.

It is certainly the case that the new standard tightens it’s grip on requirements where previously, a generous interpretation might suffice. However, this new wording effectively demands that web redirection servers are at least considered as being part of the CDE. The recent PCI SSC European Conference included a discussion of this, and even more recently, the issue was discussed at the QSA session  at Visa Europe, London.

On both occasions, it was clear that this historical security blind-spot has not gone unnoticed.

In conclusion:

Should the application doing the redirection be in scope?  Yes.
Must the application doing the redirection be in scope?  Possibly.

In one sense, our advice remains unchanged. That is, all redirection servers should be in scope for security purposes, even if not for compliance purposes. As to whether or not a server must be in scope is now a decision that the QSA will make on an individual basis.  The QSA will consider how the redirection is implemented, and a corresponding determination made as to how the server may “impact the security of” the CDE.

Image courtesy of chanpipat / FreeDigitalPhotos.net

Why Facebook’s Reaction to the Adobe Hack Should Concern You

by Sara Stringer

When Adobe was hacked in early October, a few companies chose to respond with user security in mind. One of the more interesting responses was a proactive effort to lock out users who may have their information compromised outside of Adobe’s servers.

Facebook led this charge by mining the user data and cross referencing it with their own information. Put another way, Facebook purposely mined very sensitive information about you that may have included your credit card. It starts to sound less helpful when there is more data at stake.

True, many users have learned a valuable lesson, but as we proceed deeper into the post-privacy era, one is forced to ask about the cost of such lessons.

Vary Passwords

One of the first takeaways is that many users had bad combinations of user and passwords. Entries like “password123” were commonplace, and these were often used for both accounts. This disregard for security is not only irresponsible, it’s dangerous. Imagine if that person’s bank password were something easy to guess like a birth date or social security number. That data is easy for hackers to find if they have enough identifiable information about you, especially access to your email. Vary the passwords of the services you use to keep your weak points tight.

Use Password Managers

Password management applications and browser plugins are useful for remembering the passwords that do build up. oAuth is another technology that helps with consolidation by utilizing existing logins from Facebook, Google, Twitter or other services to allow access to something else. Password management is safer than writing it down, and multiple layers of security protect your account from breach. It prevents situations like the Adobe hack from affecting you because you will be better prepared with passwords for each service.

Utilize Private Browsing

Private browsing allows you to create a session that will have short-term memory and lose everything you searched for when you close it. This is useful for situations where you have to log in to Facebook from a public location, but you can use it for Christmas shopping and other practical purposes too. Private browsing does not protect you from people snooping on you, nor does it protect from keyloggers. It only protects local access to your data.

Antivirus

Total Internet security encompasses email, browser, operating system(s), and even mobile devices. Good Internet security detects and removes threats with routine updates in real-time. Antivirus systems look at your data and compare it to known viruses to form a picture of the safety of your device. Remember that downloads may provide access to your data in ways you didn’t intend. It’s a good idea to check for viruses and malware routinely so your browsing habits and your data stay safe.

Seed Email Addresses

A seed email address that catches all of your accounts for bills or newsletters, may be a good solution to guard against data breaches. These accounts limit the exposure a potential breach can have to your contact list and safeguard the access to information that a person may gain. Don’t forget to create seed recovery email addresses either. A good combo might be bills@yourname and recovery@yourname.

The Up Side

At the very least, Facebook is showing some concern for those users infected and teaching them a valuable lesson. Users will get the protection they want, but their profiles are still publicly available for anyone to search on the Web. Hopefully, this lesson in security will teach users that breaches occur in ways we can’t anticipate, so it’s best to safeguard on all fronts if possible.

Sara is a self-taught small business and personal financial consultant, and she enjoys soaking up the sunshine when she’s not working or blogging.

Image courtesy of foto76 / FreeDigitalPhotos.net

The Impotence of Passwords

No, that’s not a typo.

More evidence has emerged that millions of people  choose poor quality passwords.  This is perhaps less surprising than it is disappointing. Why are we still having this discussion? Why is the most widely-deployed authentication factor in the world so poorly implemented?

Unfortunately, the truth lies in the fact that, if given the chance, many of us will choose poor passwords. By poor we mean too short, too easy to guess, or the same as every other password we use everywhere else. And, let’s be honest, many users will become frustrated if an app/website enforces a password complexity policy.

Complexity is easy to sell for on-line banking systems, but outside of that, many users are simply frustrated if they are forced to come up with a decent password.  Sites that are easy to use get more visitors. Put up barriers to entry at your peril.

Until such time as the humble password is treated with the respect it deserves, our oldest, most upstanding security ally will remain somewhat limp.

photo (4)

5 Cyber Security Threats You Need To Know About Now

by Blake Pappas

The web just isn’t a safe place anymore. Cyber threats have matured over the years and everyone—netizens or not—have already suffered untold human cost. There are direct and indirect losses involved. Cyber attacks have especially inflicted long-lasting harm to many organizations and businesses.  The growing concern for cyber security, according to a report by Burning Glass International, explains why US demand for cyber security experts increased 3.5 times faster in five years alone.

Here are five threats every prospective cyber security professional needs to know:

Malware

Malware is any malicious software designed to disturb a computer’s operation and illegally harvest sensitive information such as passwords, account details and financial data. Computer malware is not an entirely new concept; malware for mobile technology is significantly increasing in the past few years. Malware attacks on mobile devices, in fact, grow at an alarming rate of over 600 percent.

Android users are especially advised to install the latest version of the software to get the essential malware patches for mobile security.  Some malware may include spyware; another pesky malicious kind of software that tracks the user’s every move to obtain passwords and other sensitive data.

It only takes a few seconds or a single click for users to fall victim. Criminals either trick users to download malware by accident or download what seems like a free software. Malware can also be spread on Facebook by unknowing friends and colleagues whose account may be compromised.

Spam

Everyone with an email account knows what a “spam” is. It’s junk mail, a malicious email that prompts users to download a computer virus or defraud them. It can even cause users to defraud a friend or everyone in their address book. Criminals can hack into a user’s account and use it to send an email asking for money.

Unsecured Networks

The Internet is everywhere. Almost every consumer device can now connect to the Internet: computers, laptops, smartphones, tablets, TVs, gaming consoles, and many more “smart” household appliance. It’s a very convenient setup but it comes with significant risks. In fact, many home wireless Internet networks remain unsecured and therefore vulnerable to cyber criminals. Once hackers pass through a network, they are able to illegally access a device and compromise its security.

Data Breaches

Since 2012, many of the world’s most popular brands were compromised by hackers. Cases of data breaches exposed thousands and thousands of usernames and passwords. Yahoo, Evernote, LivingSocial, Global Payments, LinkedIn—all have been attacked in 2012.

Just this week, 2.9 million Adobe customers were hit by a massive data breach. What’s more, the company revealed that the attack exposed financial data—that’s nearly 3 million customer credit card details.  Massive data breaches compelled websites to implement two-factor authentication. It’s an additional step to enhance cyber security, although security researchers are looking for more ways to help keep user data safe.

DDoS Attacks

DDoS stands for “distributed denial-of-service” and attacks of this kind are increasingly becoming popular among hackers. The aim is to make a service or system unavailable to users.  DDoS attacks are larger in scope. Prolexic, a DDoS mitigation firm, disclosed an 88 percent rise in the number of DDoS attacks in third quarter of last year. Prolexic reported that these attacks have increased both in duration and the amount of bandwidth involved. Their targets, mostly large U.S. financial firms, have greatly suffered from a massive attacks that exceeded 60Gbps. Compare this to the 5–10 Gbps attack typically perpetrated.

There are many other threats to cyber security you need to know. If you’re considering a career in business intelligence or cyber security, familiarize yourself with these five and increase your knowledge with information security management courses.

Author bio: Blake Pappas completed his undergraduate degree in Justice Studies from Arizona State University.  Blake has also recently worked in higher education and is currently pursuing a Master’s degree in Business.

Phone with key

From Health to Security: The Best Apps For Senior Citizens

by Brian Zeng

It is not unusual for senior citizens to be extremely skeptical about technology, and that is sometimes frustrating to their family members. This skepticism, however, should be seen in its right context. It is not a reflection on the ability or inability of the technology to deliver but more an inherent distrust of something we haven’t grown up with or haven’t known for long.

The smartphone technology of today is nothing short of miraculous. It has also evolved at such fast a pace that even the younger generations have to learn to keep up. Anybody who hasn’t been clued into the long and endless roll-out of newer forms of mobile devices will quickly find themselves on the sidelines, scratching their heads and wondering what on earth is going on.

Senior citizens often wonder why people are increasingly glued to their phones – a device primarily meant to make and receive calls with the ability to store and play music being a plus?

This surprise will be lessened when they take a close look at how the humble smartphone can become their best assistant via its features and apps that do exactly what they were meant to – make our lives easier.

Seniors in particular should clutch this technology with both hands (and the reasons for that will become apparent as you read further).

So without any delay, let’s look at some of the best apps in the market for senior citizens. These could be related to health or information security, basically anything that just plain makes life easier.

(Disclaimer: When we say ‘in the market’ we are not referring to apps that come at a price. Even though there are some excellent ones that fall in that category, and we encourage you to check them out. But for the purpose of this post, we will stick to the apps available for free download.)

 

1. My Eyes Only

This app is meant to be a one-stop access to all your passwords and important data. It will store your card details — credit cards, debit cards, shopping cards, traveling cards, etc.; information about your financial accounts; web login details; passport details; insurance details; and medical details, all in one place and secure it with a password.

So the only thing that you need to remember is your password to the app. No more having to keep track of a hundred different things lying here and there. Retrieval of information is also very fast and hassle free since you are more likely to have your phone with you than a laptop or a sheet of paper.

If you are someone who does not like to remember a number of things and tend to forget in which diary you had scribbled what, this app can be your savior.

Available for free download to apple devices.

2. The Vault

This is another app that stores all your documents (Word documents, Excel spreadsheets, powerpoint presentations, photos, notes, etc.) in one place and encrypts the confidential information.

Cloud storage option is also available, which means you can access your data from anywhere.

The app runs on apple devices and is available for free download.

(A note: there are many apps out there that offer similar features. So Android and Windows Phone owners don’t feel left out. A simple search will yield options compatible to your phone software. The aim of this post is to give you an idea of the extent to which you can use your smartphone to aid your daily living.)

 3. Find my iPhone

Forgetting where you left your phone is not something that is confined to an age group, but more likely to happen to those who simply haven’t been in the habit of carrying their phone with them all the time.

When that happens, and you simply have no idea where it could be – the best way to find it is to ring it from another number. That will tell you instantly where it is lying. But if your phone is set on a silent or vibrate mode, or is in some place far away, that won’t be of much help. An app like ‘Find my iPhone’ will locate your missing phone on a map if you sign into the app from another iOS device. The app will also make your phone play a sound on full volume, regardless of the sound settings saved on your phone, to enable you to find it if it is within your earshot.

You can also use this app to remote secure your data while you are still looking for your missing phone.

Available for free download on apple devices.

 4. Mint

Take the pain out of money management with an app like Mint. It will store all your personal financial information in one place and keep track of your spending, while also allowing you to set a budget.

Depending on how you use this app, it can help you plan for your retirement, create monthly budgets, and even give you recommendations on where you can save.

Available for free download on iOS and Android devices.

 5. AARP

Any senior in the US absolutely should have this app, even if they are not a part of AARP. The app will create for you a community feel, since you will have access to the best content on the AARP website, as well as any and all news, views, reviews, health and financial advice, and discounts, pertaining to seniors.

The best part of this app is that it can be downloaded for free to iOS, Android, as well as Windows phones.

 6. MapQuest

This app offers voice-guided navigation and alerts you about the traffic along your chosen route. If you make a wrong turn it will re-route you and put on the right track. You can also use this app to look up the landmarks, restaurants, and gas stations in the area you are in or are headed to.

Available for free download to Android devices.

Author Bio:

Brian Zeng is associated with CCTVHotDeals a leading e-commerce company in the surveillance system. He is a writer for CCTVHotDeals and has many years of experience partnering with clients to build their business through development and implementation of track-proven Internet marketing strategies. Follow him on Google+.

Image courtesy of chanpipat / FreeDigitalPhotos.net

5 Ways to Avoid Fraud in the Age of the Affordable Care Act

[Image courtesy of chanpipat / FreeDigitalPhotos.net]

In the US, the Affordable Care Act has been a consistent feature in the headlines since it became law back in 2010. Now with opening date of the online state health insurance marketplaces, less than a month away on October 1st, many Americans are eager to sign up for insurance and finally see how it’ll all work.

States can opt to be in charge of creating and regulating their own insurance marketplaces, while others have left the task to the federal government. In recent months there has been a fair amount speculation about the effectiveness of the digital security measures being used to secure the marketplaces. Especially with the federal government delaying key security testing deadlines until mere days before the marketplaces go live.

Aside from possible identity thieves making trouble in the case of lax digital security there is are also the phone and door to door. These scams consist of emails, phone calls, or even home visits from supposed “government officials”, working in accordance with the new law. Another popular scam comes in the form of an invitation from an “insurance representative”, who falsely offers assistance in the ins and outs of the new healthcare law, in order to obtain personal and financial information.

In California, one scam claims that failure to buy insurance immediately could result in imprisonment.

What makes this type of scamming possible is that misinformation about the ACA is everywhere. Most people are not sure exactly what the law is or how it affects them. This confusion makes the majority of people prime targets for fraudsters.

So what does all this mean for the average consumer? When it comes to the ACA, how do you know whom to trust? Without further ado here are five fairly simple, common sense strategies that will help keep you and your loved ones protected from fraud and identity theft.

Number 1: Get Informed

Knowledge is the most important element of consumer protection.

If you know that insurance marketplaces don’t open until October 1st, you’ll know better than to be taken by scams that tell you to act immediately or else.

But how do you find this proper information? And how do you know if a site or email is attempting to mislead you using falsified information?

To check, go to a reliable source and read about the ACA. State and Government websites are great resources for factual information. Here’s a helpful page from the Department of Health and Human Services: http://www.hhs.gov/healthcare/rights/index.html.

Number 2: Don’t Be Gullible

If you receive a suspicious or unusual email, call, or visit, don’t just take it at face value. For some seniors, this can sometimes be difficult given that they may not be of completely sound mind, or reasoning.

Think about it this way: If a stranger asked to come into your home, would you let them in?

The question is the same with your insurance and identity information.

If a person or organization claims to be official, do your research. Inputting email addresses and organization names into a search engine can be a quick and easy way to protect yourself from unknowingly putting your information into the wrong hands.

If you’re dealing with a fake, chances are you’ll find out within seconds.

Number 3: Have A System In Place For Personal Security

When it comes to fraud, protecting digitally stored information is key.

Change your passwords regularly and never give out your passwords or account numbers to anyone. If someone comes to your home claiming to be from the government, they are required to show you identification. Be sure to request this information, and to question anyone who asks for your social security number, email, or bank account information.

This is all very basic stuff, but it doesn’t always dawn on people to protect their identities in this way.

Number 4: Develop A Plan Of Action

If you know that insurance marketplaces open on October 1st, and you’ve gone to your state website, then you can begin to develop a plan of action.

By this I mean, having a sense of the steps in the process of purchasing healthcare under the ACA, so that when the time comes, you won’t be scrambling.

If you have an idea of how things will work, you will be less likely to be roped in by scammers. No one can do the work for you, and developing a plan of action also helps you to be more prepared in general, when the changes take place.

Number 5: Stay Informed

I cannot stress this enough: keep yourself updated on any and all changes to the ACA by frequenting state and government websites.

If the marketplace implementation date is pushed off to November, for instance, you should be aware of the change as soon as possible, so that you can prepare accordingly.

Legislation is always subject to change, and as we know, plans on paper don’t always work out the same way in the real world. The Affordable Care Act is no exception. Since its inception, the law has gone through numerous changes, and it will continue to go through changes before October.

So it’s up to you to keep yourself in the loop. And to keep your livelihood protected.

That way, you’ll be able to focus on the benefits of this landmark piece of legislation, and get the quality care you deserve.

Michael Cahill is the Editor of the Vista Health Solutions Blog. He writes about the health care system, health insurance industry and the Affordable Care Act. Follow him on Twitter at @VistaHealth and @VistaHealthMike