PKF AvantEdge

Tag: saq (Page 2 of 3)

IATA PCI-DSS: Why your SAQs Matter

October 25, 2017 / / 0 Comments

We have had a few discussions among consultants as we progress further into this compliance for our Travel Agency clients. And very often (if not always), the matter always comes down to, “Can we just do an ASV scan and you certify us?”

We have touched this topic many times. ASV scans cannot certify you as PCI compliant. They are just one of the requirements. In fact for some of the SAQs (self Assessment questionnaire), ASV is not even needed.

SAQ A

We’ve gone through the famous SAQ A in our last post. This is basically where no card data is being entered in merchant environment and they basically forward everything over to the payment provider. There is no requirement for ASV. That doesn’t mean it makes it right though. Imagine this scenario: the developer makes a hopeless job at coding their web application. There are two ways SAQ A can be done: redirect or iframe. Let’s recap.

A redirect occurs when the merchant website sends a redirect instruction to the client browser when payment needs to be made. This instructs the client to connect directly to the payment gateway. This instruction could be a simple

onclick="location.href='https://payme.com';"

Or similarly through some javascript with window.location.

The iframe is similar, whereby a ‘child’ window is called directly from the payment gateway and has a window in the main merchant site. Although everytime this occurs, I have nightmares of those old websites with scrolling words, flashing lights and like 5 – 10 frames running at once. Netscape days.

iFrames are simple as well, with the site you want to call embedded within the <iframe src> tags.

So, anyway, back to ASV scans on these merchant sites. Although its not required, if the web application itself is poorly constructed and is compromised, there could be a high possibility that the redirect process itself gets hacked and redirected to another site that looks like the real payment site. You can imagine what happens next. The solution here is to ensure even on the merchant site, this site is developed with good secure coding practices. If ASV is not required, it does not mean you don’t need to run any scans. We would recommend vulnerability scans to still run against it, whether ASV or not. In fact, any web facing system out there should be tested – because if you are out there, it’s open season – anyone can attack it, and it’s up to you to secure it.

Conclusion: No need for ASV, but recommended – if not ASV, at least some security scans.

SAQ B 

Ah, the good old SAQ B. A lot of people misunderstand this for a good reason. Some of our retail clients, or F&B clients insists this is the correct one as they are using card terminals. However, they forget that most of them have their integrated POS systems – specifically because they need to charge an amount like food etc. So their POS systems sends these details to their EDC (Electronic data capture) terminals and the EDC accepts the DIP cards. What happens is that, these EDCs sends back the transaction data and in many cases, they still swipe our cards on the payment system. SAQ B doesn’t qualify here. SAQ B is specific for dialup EDCs directly to acquirer bank. For those using 3g/4g, then these can be considered as well. If you are using WIFI, or internal broadband link then you are out of luck. No SAQ.

Because of the direct point to point or cellular connectivity, ASV is not required (for a good reason!)

Conclusion: No Need ASV – IF you actually qualify for the SAQ that is.

SAQ C-VT

Another difficult SAQ to be eligible for. It has very specific requirements – whereby a web-based browser connectivity to a virtual payment provider who is PCI compliant. I think it really applies more to hospitality or travel agencies. In this case, the question is often asked – what about my broadband IP accessing the net? Because for sure, when I connect to my virtual terminal provider, I am using the internet right, and not leased line or any point to point? So for sure, my broadband has an IP. Just type “whats my ip” in google and it will show. Most of them have dynamic IP addresses as well. In SAQ C-VT there is no requirement to ASV scan.

However, having a dynamic IP and no ASV scan in SAQ C-VT doesn’t mean you still can’t do it. Many routers/firewalls are poorly implemented or poorly patched. We would recommend to do an internal scan on the firewall interface to ensure vulnerabilities are identified. Again, it’s a matter of securing the internet exposed system.

Conclsuion: No Need ASV, but we recommend an internal security scan on the firewall to ensure the box is properly hardened.

So, there you have it. It’s critical to know your SAQs so you know the extent of what NEEDS to be done and what is BETTER to be done than not.

If you need assistance with your PCI-DSS, drop us an email at pcidss@pkfmalaysia.com

IATA PCI-DSS: Is GDS Client software a browser? Part 1

September 1, 2017 / / 0 Comments

We are writing a fair bit on PCI-DSS for travel agencies simply because there is a deadline looming for them in March 2018 to become PCI compliant. While one might surmise there is still plenty of time, on the contrary, even merchant PCI programs will take a few months, and since the end of the year is pretty busy time for traveling, it’s best to get everything in order before the January – March months roll in next year.

So far, we know that the travel agencies are uniquely dealing with their PCI program whereby they have PCI obligations to their acquirer where most of them have card terminals merchant accounts with, and also IATA where they accept card through the “BSP channel”. They are both separate channels, because the BSP channel is actually acceptance of card IN BEHALF of airlines, not part of the agency’s own merchant flow.

So because of this, agencies have options to either fill in a full SAQ D-Mer and submit to acquiring banks and IATA, or to submit an SAQ B (or B-IP) to bank and SAQ C-VT (or C) to IATA. We are now looking into more details to the latter discussion – whether C or C-VT self assessment questionnaire should be filled.

Now before we start, we believe the answer to this is obvious. Ask IATA. We have. But we haven’t got any reasonable response. Next, they can ask the acquirer bank, which is what PCI-SSC suggests. Unfortunately for this channel, the merchant acquirer bank has no visibility over, so they don’t respond. Next, you could probably ask the GDS vendors. Which we also have. Only Amadeus have responded, when we queried whether we were correct in filing out SAQ C-VT: “Basically, if the payment is done via Amadeus and entered manually from a personal computer directly into the GDS – you have (the) right form for Amadeus agents and tick it off with confidence.”

Now it doesn’t really go out of the way to say it, because for this channel, technically, as long as no card data is stored electronically, we need to look at the eligibility of SAQ C vs SAQ C-VT. First of all, SAQ C has 162 questions. SAQ C-VT has 81 questions. More notably, SAQ C-VT does not have obligations for ASV scans whereas SAQ C has. Also, as an introduction for SAQ C, this is mainly designed for restaurants, fast food, franchisees with integrated Point of Sales. You know, the one we see at Oldtown Kopitiam whereby the point of sales system is like a desktop computer that has a LAN connectivity. The SAQ C-VT is designed for very small businesses who needs to enter manually the credit card number to a Virtual Terminal that connects to the acquirer through a ‘web-browser based connectivity’. Now these terms are very important to note, as we go into more details.

The question we have on the table is: Does your GDS channel qualify for SAQ C-VT?

First of all, if you store card data electronically, you can stop reading. You need to do SAQ D-Mer. Go. You have 332 questions to go through and we suggest you start! If not, then the idea here is whether SAQ C or SAQ C-VT is correct for your GDS channel. Now, these are obviously our own opinions, and some other consultants/QSAs might have a different idea or take on it. We do not represent the industry or IATA or PCI SSC in defining this…as and until someone from these parties decides to make a definitive statement of which SAQ needs to be done, this is our suggestion on why SAQ C-VT could be the correct SAQ for the GDS channel.

Now for SAQ C-VT there are a bunch of criteria. You can download the SAQ itself directly at

https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-C_VT.pdf

To save time, we are going to focus on the first three main eligibility points that define this SAQ conditions:

a) Your company’s only payment processing is via a virtual payment terminal accessed by an Internet connected web browser;

b) Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider;

c) Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems);

Now for A), the key here is “Internet Connected Web Browser”. The other part about ‘Your company’s ONLY payment processing is via a virtual payment terminal’ might mean that if you have any other channels such as internet of EDC (card terminals), you disqualify for this SAQ…but actually no, PCI-SSC states in their Article 1082 that as long as the channels are isolated from each other, you can go ahead and complete different sets of SAQ for different channels.

Now to understand the GDS connectivity, a majority of agencies are using either Sabre, Travelport or Amadeus. Each one of these are supposedly PCI compliant (so item Bcan be checked), and each of these provide a client solution that installs in your desktop and connects back to their main server for information and input. Sabre has their Sabre Red Workspace, Amadeus have their Selling Platform and Travelport have their Galileo Desktop. Some GDS now also offers direct web browser connectivity so that there is no need to install additional client, but for this article, we will be looking at the client application residing in the agent’s desktop. This is key, because if this is considered a stand alone payment application, then SAQ C-VT cannot be fulfilled.

It is this installation of additional client that some consultants have ventured to say that this is not a ‘web browser’, with web browser being what we know as Internet Explorer, Chrome, Safari, Firefox etc to name the popular ones. Without going into the history of web browser itself, the basic definition for the web browser is “a software that retrieves, present and traverse information resources on the internet”. These can also be used to access private web servers or private files in private servers. It is important to note that there must be a call to a web server, usually through encrypted transmissions and there is a dependency on information being posted/sent to this server and receiving a response. Basically, without internet connectivity (except if you have offline data), your web browser is basically non-functional.

So where does this leave us? Unfortunately PCI SSC is cryptic about this ‘Internet Connected Web Browser’ bit in SAQ C-VT. However, it does offer a bit more information about what constitutes a ‘Virtual Payment Terminal’ which is basically:

“Web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions. Unlike physical terminals, virtual payment terminals do not read data directly from a payment card. The merchant manually enters payment card data via the securely connected web browser. Because payment card transactions are entered manually, virtual payment terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.”

Now we are getting somewhere. So instead of saying Internet connected web browser, here it states a ‘web browser based access’ which might sound like the same thing, but it isn’t. It’s basically stating as long as the software accesses similarly like how a web browser access a resource, then it can be considered as SAQ C-VT qualified. Again in PCI SSC article 1063 in their FAQ:

” SAQ C-VT is for merchants who manually enter a single transaction at a time into an Internet-based virtual terminal solution provided by a PCI DSS validated service provider. “

In this case, it does away with the term ‘web browser’ completely and just states Internet based Virtual terminal.

So let’s establish a few assumptions here to approach this:

a) Software must be dependent on the internet. If there is no connectivity, there is no usage.

b) Like a browser, the software must send and receive information to and from a server

c) Like a web browser, the line should be encrypted if private information is being sent (this is technically more for security than functionality)

If the software can meet these requirements, then it can be considered an internet based virtual terminal. In order for us to really dig into this, we need to go down into the details: doing a packet capture.

We will look into this in more detail in Part 2 immediately after this, which is a separate article, since this one is already way past its word limit already!

PCI-DSS and how we messed up the scope

June 4, 2017 / / 0 Comments

pci-compliance

Reflecting on challenges of a recent PCI-DSS project for a client and the key learning points for an effective implementation

People team challenges – having a team to champion the project

When we started the PCI project, we were faced with multiple changes in the client’s project manager and so the project was like a car unable to start on a cold morning (for those old enough to remember there were such cars back in the 80s!).

Eventually, by working with the client, the musical chairs stopped and we had a stable project team to champion the PCI-DSS project.

The importance of the scope

By then, so many changes had been made in the systems and people that we were asked to rescope the work.  Now, scope in any PCI-DSS project is absolute key. If you start wrongly, you will definitely go down the rabbit hole and never come out.

(Mis)Understanding the process flows

The client described how the credit card data was fed into their system through the credit card terminals connected to their POS systems in their nationwide store network.

Initially, we were quite surprised that credit card data would be flowing back into the retailer’s system so they could do their reconciliation.  Our experience suggested that retailers would simply transit credit card information through the credit card terminals to the acquiring bank and then receive back a transaction ID or approval code.

Further enquiries got the same answer and we were assured that the information would be ‘encrypted’ and stored in ‘encrypted’ form.

On the basis of their answers, the client expected to undergo an onerous Self-Assessment Questionnaire, consisting of over 320++ questions!

Managing information

Our team took their word for it, and began the project by asking them to draw out their process flows so we could assist them in scoping their systems and completing an asset inventory (a key part of the PCI-DSS programme) together.

And this was where things got a little messy.

Because they insisted the credit card terminals that were interacting with the cards belonged to the acquiring bank and they had no influence over it, they did not have an asset list.

Also, with a significant number of branches it was difficult to provide an asset list to cover all relevant hardware and software across the portfolio.

The pushback caused the project to once again grind to a halt. Without a scope confirmation, we could not start any PCI implementation for them, in case we over-committed or under-committed on the plan.

Benefits of documenting process flows

The project was being worked out at management level for a long time before it was brought up to the director level, but once it did, things began to move.

We decided to go on the ground to a few of the store locations to really see what was going on.

What we found out surprised everyone:

Credit card information indeed never flowed back into the client’s system!

Getting the terminology right

The so-called ‘encrypted’ credit card information from the bank that was supposedly sent back to the client after the authorization, was in fact, ‘truncated’, not ‘encrypted’.

Apparently, the client had thought these were the same thing.

In PCI speak, encrypt means to protect credit card details by making the information unreadable with a key. The main reason is that there is a need to ‘de-crypt’ the information back again.

Truncation, on the other hand, meant that the card number itself, when sent has already its numbers ‘X’ed out. This is different in a sense that truncated card information is NOT card information because the critical numbers have already been X’ed out, leaving (usually) just first six and last four numbers of the credit card number visible.

Immediately, it was like a light being flipped on.

The team worked hard to optimize the scope by confirming the other flows and observing live transactions take place.

At the end of a 2 day onsite scoping assessment, we concluded that this client was eligible for a much reduced – only around 80 questions – assessment and then by filtering further, we pared down their compliance questions to only 40 reducing the scale of this compliance project by more than 85%.

Key messages

The takeaway here, from our experience would be:

  1. All PCI-DSS assignments require a stable and strong project team – get the right people, in the right place, with the right focus
  2. Understand the client’s terminology and descriptions and then check and check again. Ensure that you start from the best position, and not chasing the wrong end of the stick.
  3. For PCI-DSS merchant compliance it is essential to explore if the client is eligible for any reduction in the scope and don’t just go with the default. The time and cost elements of getting this wrong could be very substantial.
  4. Nothing beats being onsite and to undertake live walkthroughs of the actual processes. In this case, the earlier the better, so the assignment can be properly scoped.  A different set of eyes might be able to unlock the project obstacle – and in our case, it was essential to have the onsite scoping exercise.

Finally, because of these findings, the compliance is now ongoing and finally we are seeing the light at the end of the tunnel.

If you have any queries on your scope or compliance on PCI-DSS, drop us an email at pcidss@pkfmalaysia.com and we will get back to you ASAP.

The SAQ Bs and how they apply to you

March 31, 2017 / / 0 Comments

pci-compliance

We always say SAQ As and Ds get all the glory and attention.

This is because a majority of our SAQ clients are e-commerce companies and therefore they apply SAQ A or A-EP depending on where their credit card information is collected.

However, recent times, we have been working on a well-known retailer and were told that SAQ D would be the one that applies to us. Now the SAQ was passed to them by the bank and the bank insisted that they do SAQ D-Mer.

Now this post is going to assume that you have some working knowledge on what SAQ’s are in PCI-DSS world. Self Assessment Questionnaires are one of the most misunderstood concepts in PCI. They are like Donald Trump’s foreign policy and the plot of Interstellar all mashed into one misunderstood mess. Often because acquirers find it so hard to understand, they just tell all their merchants that they should go for SAQ D.

Now we have fought for our clients before – where we overturned the acquirer insistence for one of our e-commerce clients to do an SAQ D-Mer, and instead got them to agree that an SAQ A-EP is sufficient. SAQ A-EP = around 140 questions. SAQ D-Mer = around 320 questions. Big difference.

Why is this important? We firmly believed in the concept of overdoing PCI is not a good thing. Why? Because our clients have other things to do and limited time and money to do these. Ideally, sure, everyone should go on Level 1 Certification. But the reason why the PCI Council created a whole bunch of ‘levels’ and then types of SAQs is simply because different businesses face different risks. It doesn’t make sense for a neighbourhood grocery that accepts 10 cards a month to implement the same million dollar controls as, say, Tesco or Exxon Mobil. So. Don’t overdo things, but don’t under-do it as well.

Back to SAQ Bs. So with this client, after talking to them a few rounds we found out that:

a) Their credit card terminals are separate and not integrated with their POS machines and connected via USB.

b) The POS machines are all connected back to the branch switch (let’s call it branch switch) and from there connects back to corporate HQ for reconciliation purposes

c) However – we found out that the Credit Card terminals have their own connectivity to their own ethernet switch (lets call it Credit Card switch) that connects to an ISDN router and directly to the bank.

This means, there are two flows – once the credit card is used on the Credit Card terminal, the card information is sent out directly via ISDN to the bank. Whatever approval etc that comes back, it will go through the USB to update the POS.

The crunch here is that NO CREDIT CARD information is ever sent back to the client’s environment. Everything is out through the bank environment – as the Credit Card Switch all belongs to the bank. It’s only located on the customer premise but the customer has no access to it – physical or logical.

So begin our argument with the acquirer, to overturn their SAQ D to SAQ B or B-IP. Let’s look at SAQ B criteria as per PCI document:

a) Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;

Seems like it. Technically, the question here is whether a credit card terminal connected to a POS machine with USB is considered ‘standalone’. Our argument here is yes, as long as no credit card info flows through that USB connection and only approval/decline/transaction dollar amounts etc. Remember the USB connection connects the terminal to to the POS machine (a Windows box). Credit card info flows out the other way, directly to the bank via a circuit switched technology like ISDN (i.e dial out). For the millenials, ISDN used to be the granddaddy of broadband. If you have ever gone through internet connectivity era with normal dial up 14.4kbps, ISDN is like what God would send to us out of mercy and grace.

b) The standalone, dial-out terminals are not connected to any other systems within your environment;

Again, the argument here is ‘connected’. What does this mean? Is it through IP means, or even an RS232 connectivity is considered connected? Our reasoning is that this is USB connection and no card data flows through this ‘connection’ and we will use this reasoning once we get on the table with the acquirer.

c) The standalone, dial-out terminals are not connected to the Internet;

No they aren’t. They are on ISDN direct to the acquirer.

d) Your company does not transmit cardholder data over a network (either an internal network or the Internet);

No they don’t. In fact, no credit card info is stored, processed or transmitted anywhere in the customer environment. Except for the physical protection over the bank equipments residing on customer premise.

e) Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and

They do have some credit card info on paper which they need to protect, but these are manual forms they need to fill out for refund process. And the process is dictated by the bank.

f) Your company does not store cardholder data in electronic format.

No, of course not.

So you see, except for the tiny word ‘connected’ in question b), our client does meet all the SAQ B criteria. It’s really ridiculous to have someone go through the entire SAQ D when they do not have card holder data in the environment they control. And what if they have 80 branches, each with 10 POS terminals and servers? That would mean 800 systems in all branches come into scope for pentest, internal scans etc? No wonder I hear some retailers using PCI as a cuss word these days.

So, we don’t know how this is sorted out yet, but we will soon, and perhaps that will constitute another post. For now, if you need any help with your PCI-DSS – SAQ or Level 1 certification, drop us an email at pcidss@pkfmalaysia.com.

Cheers for now!

PCI and Multi Processing Environments

March 31, 2017 / / 0 Comments

PCI

Since our last post, we have received some queries from other companies asking us about their PCI compliance. Just to be clear, we do not charge a fee for replying to your email and assisting you make sense of this compliance. We know how frustrating it is, and no, anyone that tells you that PCI is easy as 1-2-3 isn’t really letting you know the full picture. This is because some emails had been – “I have this question, but wait, if you are going to respond and charge me a fee, then don’t bother.” What are we, mercenaries? Yes we are a company requiring profits and not an NGO, but over the 7 years we have been involved in PCI, we have actually done a fair bit of advisory without charge, just to get PCI awareness out there into the market.

So, to save the trouble, I’ll put up a public post here to sort some of the questions out. This question, we have been getting a fair bit: What if the company has a multiple processing environment? What does this mean?

Let’s say, a retailer. It has a POS environment whereby they run standalone terminals connecting to the bank for purchases in their store. Credit card is used here – card present transactions. Then they launch their e-commerce site, which redirects all card non-present transactions to a PCI certified payment gateway, where the card collection page is hosted by the gateway.

You see here – there are two different channels for credit card interaction. The traditional POS, and the e-commerce site. Both are completely outsourced – one is direct dial up to the bank, the other to the payment gateway. So how do you deal with this?

You have two options – one is to do separate SAQs for both environments. Yes, you can. In the example above, doing an SAQ B for your POS environment and an SAQ A for your ecommerce environment (assuming you are level 3 or 4 merchant) should be able to suffice. The second option is to combine these channels into one SAQ. Once you do that however, you won’t be able to go through the ‘specialised’ SAQs. Specialised SAQs are like A, A-EP, B, B-IP, C, C-VT – meaning they have conditions in which you need to adhere to in order to use them. For instance for A, it says that this will only apply to merchants with card non-present business. And likewise for B, it has condition that you do not store card information electronically and is not applicable to e-commerce merchants. So when you don’t fall into any of these SAQ buckets, you end up with SAQ D-MER, which basically covers everything in PCI. But don’t worry, you a lot of the SAQ would be non-applicable in this case, and only those related to outsourced e-commerce and POS facilities would apply.

Now another related question, and one that I ended up having a 2 hour discussion with a client on = can an entity be both merchant and service provider?

The short answer is yes, you can.

An example would be a telco. Telcos generally have massive merchant business. They accept payments for their pre-paid, post-paid etc from end customers through e-commerce, POS channels etc. But the Telco could also support a manage services and hosting environment whereby other merchants are hosting their payment sites on. Then, now you have a service provider environment.

Or, it could even be within the same organisation, you have your merchant business of a payment portal, Mobile POS, or mobile app, connecting to an outsourced payment gateway. Suddenly you decide you want to set up your own payment gateway and channel all the transactions of your merchant business to your own payment gateway.

In the first instance, if you have separate environments and businesses isolated from each other – you can again opt for separate compliance. You could be a Level 3 Merchant filling up an SAQ B form, and also a Level 1 Service Provider doing an ROC with a QSA.

In the second example where your merchant business connects to your own payment gateway, it’s a little more complicated because in all likelihood, the systems utilised by both business would be common. In this case, isolation and demarcation of type of business is more difficult to attain. Assuming you are eligible for Level 2 service provider, you can technically fill that up and ensure that it includes your payment channels within that SAQ. If you are doing a Level 1, then similarly, the QSA would likely include your payment channels (previously what you would call your merchant business) into your service provider certification efforts. Otherwise, you can still opt for a separate PCI compliance program, whereby you fulfill your merchant compliance, and for your service provider compliance program you do it separately.

For the latter option, the advantage is that if you launch your payment gateway and you provide options for other companies (not just your own) to connect to you, your compliance isn’t dependent on your payment channels (your merchant business). You would treat your own payment channels as just another merchant out of many, that are connecting to you. The downside of this is that you would likely need a clear demarcation and separation of systems between your merchant and service provider business.

Again, there are many ways to skin PCI. The best way (on paper at least) is to get your acquirer on the table or your payment service provider to ask them what is applicable to your business. Unfortunately, around 99% of the time in this region, the acquirers aren’t too knowledgeable themselves and either give wrong information or just tell our clients to do a Level 1 Certification with a QSA.

As part of our job scope – we will assess our client’s environment and provide the options on the table, and in some cases even be present on the table in the discussion with their acquirer – to obtain a clear indication on how to move forward and what PCI options are acceptable.

As always, drop us a note at pcidss@pkfmalaysia.com and we will do our best to accommodate your inquiries!

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑