The purpose of this disclosure is to inform you of minimum security recommendations.
Documentation on the PCI Data Security Standard which you are required to comply with to gain “safe harbor” (limit of liability) should your system be compromised and credit card data stolen. This disclosure has been broken down into several sections:
- Think about security.
- Develop a written policy.
- Follow that policy.
Security is not just in the Genisys 2 applications; it is also in how you implement them, how you secure your network, and how you physically handle data such as backups and reports.
Genisys is not going to make any recommendations for physical security beyond asking you to read, understand, and follow the PCI standards. This includes building access, backup control, report control, and more.
A SPECIAL NOTE on BACKUP SECURITY:
You are advised to be aware that backups of data (stored on tape or other media) from older versions of AlphaRENTAL, AlphaSPORTS and MovieRENT may contain unencrypted card data. For more information, please see section 1.1.5 of the PABP Implementation Guide.
Login & Password:
Each user should have a unique user ID and password (no sharing) and no one should use the “root” account unless they are doing system administration work. You should use complex passwords and change them periodically. You should administer your users and delete terminated employees; or at a minimum change their passwords after they leave and then add something to the end of their user name to signify that it is no longer to be used.
Make sure and follow the requirements of Section 8 of the PCI requirements:
As usual, we continue to recommend that you keep your network secure by going through your network or internet provider. Our general recommendations are to have a firewall that is well maintained, restrict access as much as possible with the firewall and logins, and use some sort of secure connection of anyone accessing sensitive data such as credit card data (such as using SSL or SSH or Secure VPN or two-factor authentication). You should restrict access to the main SCO server even further, allowing only access to it from known IP addresses such as your home based PC’s or Genisys support personnel.
There are many good articles out there about security and how you can “harden” it to make your system safe from outside access. The simplest ways are to keep your firewall up to date and control access through it to your server, and to make sure that if you have a dial-up modem with access to the server that it is turned off when not in use. We can also help to add more levels of security to any dial-up modem(s) that you may have on your server.
Once you are running on the newest revision of version 9 of the database you will then be running on full AES-256-CBC encryption automatically.
It is never recommended that you have customers email you credit card numbers, always either do this over the phone or using the magnetic stripe readers if in your location.
Genisys truly appreciates your cooperation in upholding these security recommendations. However, please remember that it is your own responsibility to follow the PCI standards and to ensure the safety of your data. Thank you.
PCI Standards – More Information:
Please read over these VISA web pages regarding:
Compliance validation details for merchants:
- Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
- Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
While non-compliance penalties vary among major credit card networks, they can be substantial. Participating companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance.
The risk is that a hacker can alter a NON-ecommerce website, making it appear that a purchase can be made by using methods such as Cross Site Scripting. An example might be that a hacker could place a link on one of your sites that invites the customer to “Buy Now”. The link takes the customer to the hacker’s domain, cleverly designed to look like your website. The customer then gives the hacker his/her credit card info. Phishing can also occur, where some social engineering can lead to the theft of cardholder data.
We have heard of instances where the Card Brands have chosen to fine a merchant who was compromised because they had not followed the rules of scanning EVERY active, public-facing IP address; EVEN when the portion NOT in compliance had nothing to do with the actual compromise.
On Visa’s website they describe “Safe Harbor”.
Safe harbor provides members protection from Visa fines and compliance exposure in the event that its merchant or service provider experiences a data compromise. To attain safe harbor status:
- A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
- A member must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance.
- It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.
We have been told in the past that “full compliance” means EVERY active, public-facing IP address. Choosing not to have External VA running on information-only websites appears to be a risk you will have weigh. If you perceive that risk to be minimal, that’s your call.
Here’s some wording from the Security Scanning Procedures document (download from https://pcisecuritystandards.org/tech/supporting_documents.htm. It tells you to make the call, but again, I will state that there can be some risk of fines in the right circumstances, should there be a compromise (“Safe Harbor” wording).
PCI Security Scans may apply to all merchants and service providers with Internet-facing IP addresses. Even if an entity does not offer Internet-based transactions, other services may make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company’s network. Such seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and potentially expose cardholder data if not properly controlled.
Scope of PCI Security Scanning
The PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities. If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be in scope. In some instances, companies may have a large number of IP addresses available while only using a small number for card acceptance or processing. In these cases, scan vendors can help merchants and service providers define the appropriate scope of the scan required to comply with the PCI. In general, the following segmentation methods can be used to reduce the scope of the PCI Security Scan.
- Providing physical segmentation between the segment handling cardholder data and other segments.
- Employing appropriate logical segmentation where traffic is prohibited between the segment or network handling cardholder data and other networks or segments.
Merchants and service providers have the ultimate responsibility for defining the scope of their PCI Security Scan, though they may seek expertise from ASVs for help. If an account data compromise occurs via an IP address or component not included in the scan, the merchant or service provider is responsible.