Pci in the spotlight winter 2017 by oguntala

PCI in the spotlight Winter 2017 Season Greeting’ to you all. It’s that time of year again. The time of year when outside of work we are busy buying presents, making lists of what to cook and buy, writing cards, watching pantomimes, and in some cases dreading having to sit with certain family members with a fixed smile on your face and a paper hat on your head! We all do it, so let’s not think” oh no I don’t”, because” oh yes we do”. I myself love the festive season, albeit it being very busy, but it is a time that I get to be with my family and friends, to sit and relax, to dress up or not, whatever it is that you like to do best. It’s a perfect time to sit and reflect over the last 12 months, and to think about the year ahead. I love it, and I hope that you do also. Inside of work at the moment you may be busy thinking about peak trading, change freeze’s, end of year reviews and what’s your plans and objectives for 2018. For me and my team it is no different. We are busy thinking about scheme returns, making sure we support customers in achieving and maintaining PCI compliance, our own objectives and targets for 2018, and of course, GDPR and

PSD2. With that in mind, don’t forget to add those two very important regulations to your’ to do list for 2018, and don’t forget of course the deadline for the changes to TLS and SSL. Now, call me cynical if you would like to, but I don’t think that I am the only one to be saying this or thinking in this way, but we seem to be hearing of some pretty big data breaches in the press at the moment, ones that have been around for some time, but are only now getting out into the public domain, and I wonder if that is just bad luck or if it is coincidental that GDPR comes into effect in May 2018, and with that comes some pretty hefty fines that affect organisations turnover – cynical?, maybe, maybe not, but if you don’t know why I mention this, then you should do, so plan now ready for when GDPR hits us all. Start reading if you have not already done so. New Year’s Eve is the time when we have the opportunity for us all to make New Year’s resolutions, and stick to them, or that is the plan of course! I would ask that each of you who has not yet achieved PCI compliance, that you make 2018 the year to committing to this if you have not already done so, as it will assist with your

GDPR obligations, as you already have a framework in place that works. Moving on, as always we have some really fabulous articles for you to read, so read on and enjoy. Don’t forget that if you particularly wish for us to write on any specific topics, then get in touch with us, and we will do our best to accommodate this. It only leaves me to say, Merry Christmas, and a Happy New Year to each and every one of you. May your hopes and dreams all come true for 2018. Thanks as always for reading Tracey

tracey.long@worldpay.com Worldpay - www.worldpay.com

In this issue 

Industry events



Quarterly reporting date



In Focus: The Associate QSA program



Spotlight: Case Study



Tech talk



Final Words

Industry events All events are in London unless otherwise stated, and are mostly run by AKJ Associates (a), PCI SSC (p), or Vendorcom (v). December 2017 5th – Future of Payments Conference (v) January 2018 25th – PCI London (a) February 2018 20-22nd – Merchant Payment Ecosystem MPE (Berlin) (p)

Quarterly reporting date

In Focus

Please submit your next progress update by

The new Associate QSA programme explained

15 December 2017

Gill Woodcock, Director of Certification Programs.

including: 

Your milestone report, sent through the prioritized approach tool (if you're working towards compliance)



Your latest RoC or SAQ with AoC (if you're compliant, or revalidation is due)



Your network vulnerability scan executive report



Confirmation that you're using a PA DSS compliant payment application



Confirmation that you are not storing Sensitive Authentication Data (SAD) on your systems

Please also remember if you have failing scans for SSL / early TLS reasons we will need to see your Risk Mitigation & Migration plan (RMMP) as well. Any queries please contact your dedicated PCI consultant at Worldpay who will be more than happy to help.

There are more ways of making and receiving card payments than ever before, which in turn makes the PCI Security Standards Council’s (PCI SSC) work to secure payment data more diverse and necessary than ever. In addition to evolving security standards to meet the demands of new technology, we also strive to evolve and adapt our programs to meet increasing global demand for payment security education. In particular there is an increasing demand for Qualified Security Assessors (QSAs), and so to help tackle this global shortage of cyber talent we are launching the Associate Qualified Security Assessor (AQSA) program ready for the start of 2018. The AQSA program will provide an entry path for individuals working for QSA Companies to achieve full QSA status. The program has been developed as a result of feedback from the community and with the input of QSA companies from around the world. AQSAs will take the same training and exam as QSAs but will work under the supervision of an experienced mentor to gain the skills and experience needed to achieve full QSA status. Mentors will receive training and support materials from PCI SSC to help them fulfil their important role and the PCI SSC Assessor Quality Management team will be closely involved to help ensure this new initiative delivers on its intent. As merchants and processors you

© Worldpay 2017. All rights reserved. This document and its content are proprietary to Worldpay and may not be reproduced, published or resold. The information is provided on an "AS IS" basis for information purposes only and Worldpay makes no warranties of any kind including in relation to the content or sustainability. Terms and Conditions apply to all our services. Worldpay (UK) Limited (Company No. 07316500 / FCA No. 530923), Worldpay Limited (Company No. 03424752 / FCA No. 504504), Worldpay AP Limited (Company No. 5593466 / FCA No. 502597). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AF and authorised by the Financial Conduct Authority under the Payment Service Regulations 2009 for the provision of payment services. Worldpay (UK) Limited is authorised and regulated by the Financial Conduct Authority for consumer credit activities. Worldpay, the logo and any associated brand names are all trade marks of the Worldpay group of companies.

may come across AQSAs helping out with PCI DSS assessments as part of their learning experience. AQSAs are encouraged to develop their skills and experience by undertaking a range of different tasks, but are prohibited from leading assessments, confirming PCI DSS compliance status, evaluating compensating controls or initiating/leading compliance discussions. The full range of do’s and don’ts for AQSAs is contained in the updated QSA Qualification Requirements and Program Guide which will be available on the PCI SSC website shortly. Any queries or feedback about the involvement of an AQSA in an assessment should be directed to the QSA supervising their assignment in the first instance, but as always, PCI SSC welcomes direct feedback which can be sent in using forms on the website or directly to the QSA Program Manager via qsa@pcisecuritystandards.org. Alongside the launch of the AQSA program we are also introducing the requirement for QSAs to hold two industry certifications, covering audit and information security, instead of one. This is part of our ongoing initiative to ensure QSAs provide the best possible service to their merchant customers. More information on these initiatives and others can be found on PCI SSC website. If you don’t already follow our blog please do take a look. We post new entries almost every week. Thank you for all of your support in 2017 and we look forward to working with you in 2018!

Spotlight CASE STUDY: Using WorldPay’s products and services allows merchants to save up 50% of their cost of PCI compliance. By Ben Oguntala, CEO, www.paymentsandco.com ben.oguntala@paymentsandco.co m A British independent catering company that operates high street cafes, restaurants, dining spaces inside public buildings as well as in-house corporate cafes, has become the first of its kind in the world to achieve and sustain PCI compliance for the 2nd year in a row with one of the lowest cost of PCI CAPEX and OPEX in the industry, usingwww.paymentsandco.com One of the first tasks established was to ask the management the question, how would they like to take card payment and what they would like to do in relation to compliance? The answer created their PCI compliance strategy, this is what most merchants are missing today and one of the reasons why for a Level 1 merchant, the independent catering contractor, has one of the lowest cost for PCI compliance in the world! Their PCI compliance was achievable due to the fact that www.paymentsandco.com offer a managed service that allows the team to manage the entire lifecycle of Payments for the organisation and has embedded PCI compliance into the organisation’s BAU (business as usual) process.

A merchant ID, which the unique starting point that www.paymentsandco.com begin to create their records from, can be ordered online via the system as it connected to Worldpay’s Merchant ID issuing Department, from any of the business units that are distributed across the UK. The request is designed for PCI compliance and the integration with Worldpay means their service catalogue is filled with a variety of WorldPay’s PCI compliant products and services that the business can choose from. This ultimately results in PCI compliance from conception. This creates the perfect foundation to provide a variety of payment channels to the business whilst having PCI compliance embedded directly into each payment channel. The obvious benefit is that whether the Independent Catering Contactor has 200 or 2,000 payment channels, they would follow the same payment architecture. At any point in time, we can determine every single payment channel with the system of record and showcase how each payment channel is PCI compliant. As a payment integrator, there are a variety of PCI compliant online payment solutions that Worldpay offer merchants in the Catering contract sector, these includes email payments, debt collection, tokenisation service for membership and recurring payments, virtual terminal for admin payments and web/online payments. This suite of solutions means we can clean up, fairly quickly, non-compliant operations and offer business units a plethora of payment solutions that allow them to take card payment in a secure manner. PCI compliance

has therefore been turned into a revenue generating activity allowing the business to offer true Omni-payment channels, be creative in how it handles card payments and all the while, have PCI compliance inherently embedded in their decision making process. The biggest challenge any merchant faces in relation to payment solutions is the cost of compliance and Worldpay’s PCI compliant products and services has finally provided a solution that merchants can use cost effectively.

Tech talk SSL & early TLS, are you ready to meet the deadline?… We know…... we’ve already mentioned the removal of SSL and early TLS on a number of occasions this year! In previous newsletters, via ad-hoc mailings and through the many meetings and calls we hold regularly with our customers. However we thought it wouldn’t hurt to just mention it again to make sure we are all on track……. So you need to ask yourself, Is your organisation still using the SSL/early TLS protocols? Do you work with online and e-commerce partners or customers who haven’t yet started the migration away from SSL/early TLS to a more secure encryption protocol? With ONLY 6 MONTHS to go until the deadline we thought it would be a good opportunity to outline

the requirement within the Data Security Standard and ask again….Are You Ready?! 30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. It takes time to migrate to more secure protocols and with 6 months to go we recommend you don’t delay! Migrate to a minimum of TLS 1.1, preferably TLS 1.2: While it is possible to implement countermeasures against some attacks on TLS, migrating to a later version of TLS (TLS v1.2 is strongly encouraged) is the only reliable method to protect against the current protocol vulnerabilities.  Patch TLS software against implementation vulnerabilities: Implementation vulnerabilities, such as Heartbleed in OpenSSL, can pose serious risks. Keep TLS software up-todate to ensure it is patched against these vulnerabilities, and have countermeasures for other attacks.  Configure TLS securely: In addition to providing support for later versions of TLS, ensure TLS implementation is configured securely. 

Ensure that secure TLS cipher suites and key sizes are supported, and disable support for other cipher suites that are not necessary for interoperability. For example, disable support for weak “Export-Grade” cryptography, which was the source of the recent Logjam vulnerability. It is a requirement to report your position on the removal of these insecure protocols to ourselves as your Acquirer via a Risk Mitigation & Migration Plan (RMMP) if in doubt please ask your usual PCI DSS contact at Worldpay. There is also a guidance document available from the PCI SSC site which you may find helpful; > Download Guidance for Migrating from SSL and Early TLS Any questions please get in touch with your usual PCI consultant who will be happy to help.

Cybercriminals leveraging Dynamic Data Exchange Protocol On 8th November Microsoft published Security Advisory 4053440 providing guidance on securing Microsoft applications when processing Dynamic Data Exchange (DDE) fields. Visa have subsequently advised that they are aware of multiple cybercriminal threats to the payment ecosystem currently

PCI in the spotlight - Autumn 2017 leveraging DDE protocol in phishing campaigns. The primary exploitation method begins with a phishing email and relies on the Dynamic Data Exchange (DDE) protocol for infection instead of malicious macros or an exploit kit. Visa have alerted on this to ensure awareness of cyber threats exploiting this Microsoft windows feature. Microsoft themselves provide controls and mitigations regarding the DDE protocol in their advisory. We knowyou all take the security of cardholder data seriously but if you aren’t aware of the above please take a look and investigate your environments.

Final Words Managing Third Parties

As the title says we thought we’d make a final mention about managing third parties. Once the peak trade and excitement of the festive period is over there will hopefully be a chance for you all to draw breath and think about the upcoming New Year…if you haven’t done so already that is!

We hope that part of your 2018 strategy is to plan your continuing PCI DSS compliance programme, whether you are already compliant or still working towards that goal. Third parties, whilst providing many invaluable services for you and your organisations can also provide some challenges especially if they are providing any services which store, process or transmit card holder data on your behalf. They can be an integral part of any organisation’s cardholder data environment and due to this could also impact your PCI DSS compliance as well as the security of the cardholder data. Have you asked yourself the following…….Do you know how their approach towards PCI DSS compliance could affect yours? Have you factored in managing their revalidation as part of your own programme milestones? When was the last time you reviewed your third party assurance plan? The use of a third party does not remove your responsibility for your own DSS compliance or the accountability for ensuring the security of the cardholder data. We would therefore recommend a robust third party assurance programme is adopted by all our

customers, with clear procedures and measures in place to manage all relevant requirements accordingly. Last year the PCI SSC published a guidance document covering the main considerations for a third party assurance programme and we highly recommend reading it and including it in your own programmes. The document is available using the link below or alternatively speak with your normal Worldpay PCI consultant who will be happy to help! https://www.pcisecuritystandards .org/documents/ThirdPartySecurit yAssurance_March2016_FINAL.pd f?agreement=true&time=15111781 93731

Thanks for reading! Thank you for taking the time to read our newsletter. Should you have any questions about the contents, please contact your dedicated PCI Manager or email us at: payment_datasecurity@worldpay. com