Month: February 2019

The Sickness of Busyness

I’ll admit it.

Like any other companies, or culture within the company, we have our own little sayings to describe certain situations, certain issues or certain people. There is the often used phrase of FOMO – Fear of Missing Out, a situation where a person is so afraid to be losing out on things that they need to be involved with everything. There is the usual phrase of NRS – New Recruit Syndrome, where a newcomer becomes so enamored with making things ‘happen’ in the company that suddenly everything seems to be moving — until it stops again. There is also the term LLB, not to be confused with the Bachelor of Law – “Look Like Busy”. It’s basically to describe someone who always seem to be rushing, to be going someplace, to be doing something, to be typing things in their handphone, to be always sitting down as if their ass is on fire, to be talking on the phone with their bluetooth headset while walking around, making them look like they are doing a soliloquy in Shakespeare’s Hamlet.

With the advent of the mobile phone, the ultimate personal and intimate device, this LLB has taken into another dimension. Admittedly, as consultants, we do fall into the trap of being busy many times over. There are often remarks made to me: “You seem to be busy all the time.” The truth is, yes, sometimes I am rushing from one meeting to the next. Sometimes, I need to just get into my car, and in between meetings, I am on the phone to finish off another meeting. Yes, sometimes, we overbook ourselves because client A doesn’t come back to me and I booked in Client B and then Client A says OK, let’s do a meeting and I go, Ah Crap, can we move yours an hour later. Client A goes, “Wah So busy one ah?” and Client B, when I am rushing to finish off the meeting so I can go to Client A, goes “Wah So busy one ah?”. I think 80% of this LLB occurs because my daily schedule sometimes end up so dynamic, as in, random clients may need to meet for whatever reason – and to top it off, we don’t have dedicated sales, so many times we are doing marketing, meeting, administration, auditing, operational support etc.

But LLB isn’t about actually being busy – it’s about looking or being busy even when we are not. And that’s the truth. We are sometimes accustomed with being so caught up with things, we just think it’s unnatural to actually have….time.

Think about it. How often do we actually sit down over lunch/dinner and not whip our phone out, even when we are not working on anything? Or at the traffic lights or caught in a jam? Or when we are having coffee alone? Or when we are waiting for the one guy who is always late for meeting and we all sit around tapping away our phone. Truth: I’ve actually seen a client who, while waiting for the meeting to start, take up his phone and just started tracing his finger over his phone in circles while staring at it. He wasn’t reading anything. He didn’t have any app started. He wasn’t listening to Spotify. He was, in a trancelike way, just tracing his finder in tiny circles over his LOCKED screen.

What?

How dependent have we become to this tiny little device we always have in our pocket? How often do we go absolutely ape*hit when we cannot find our phone? How often do we actually place this guy on the table in our meetings, in our lunches, in our time even with our family? Have we become so consumed with the idea that WE ARE NEEDED that we think we are needed even when WE ARE NOT?

Once, during an interview, a guy I was talking to kept checking his phone. Maybe he was nervous, OK, I’ll hand him that. But he kept looking at his phone until I finally asked: “Is your boss looking for you?” and he looked at me in a confused manner and I just shook his hands, said, “Thank you for your time to sit down with me” and I left. Oh, yeah, I was the one interviewing and he was the interviewee.

What is wrong with us? Are we so disillusioned with our own importance that we can’t even for a single minute stop this nonsense of tapping on the phone, writing an email, drafting a report, reviewing a document or composing a stupid blog post and just look up and find that we are still human?

One of the things we need to change, starting from our own, in this LLB business:

a) Meetings – if you are meeting a client, or meeting a service provider, or meeting a colleague, make it a point to limit the phone usage. It’s highly insulting that during a one on one meeting, while it’s going on, that you whip our your phone and tap an email or a reply to a chat. If you have to do so, such as answer a call, excuse yourself and say, “I am so sorry. I need to take this just for a while” and then tell the other side that you would call them back. Don’t take any longer than necessary. Of course, there are exceptions. Once I was with an important client and my mother called. She never calls during work hours unless it was an emergency, so these were exceptional circumstances. I took it, but I apologised first to the client. The concept is simple: if someone actually takes time to spend time with you, give them the due courtesy of your own time with them. Except for these exceptional circumstances, let’s have conversations and connections, as opposed to emailing or texting.

Another irritating habit (of which sometimes I am also culpable) is the constant tapping of the laptop during a meeting. This is usually done by non-leads (the guy in the meeting that is not participating much in terms of discussion). Unless they are doing minutes or capturing the discussion, this is strictly banned in our company. I had a client once who told off his executive to get out when he was tapping furiously on the keyboard while the meeting was going on, and it wasn’t related at all to the discussion. He was thinking to solve an operational issue or sending out an email to another client. No, his boss was saying. You aren’t that important. Get that in your head and sit down and shut the hell up and listen and learn. Good lesson, that one.

b) Mealtimes– Even lunch or dinner with colleagues, It’s very irritating to have the phone out the whole time. Don’t. Everytime you do that, it states that the people around you are unimportant. In our family, we try never to do have that. Yes. Even when I am bored stiff staring while my 3 year old is taking his own sweet time eating his food (he likes to eat on his own but by the time he finishes, fishes have actually evolved into birds) – and my wife and my other kid are no where to be found in the shopping mall, I have to refrain from whipping out my phone, unless it’s a call. Mealtimes are no-no for phones for us in our family. Why not during our corporate lunches/mealtimes as well? Why not interact without the laptop?

c) Travelling– Yes, I admit, caught in horrendous traffic, it is very enticing to catch up on things. I’ve avoided this (because of traffic summonses) primarily by either having a meeting in the car (yes, I am theoretically still using the phone) or just listening to Spotify, which is a God Sent to road warriors who spend half their day stuck in traffic. If I am with another colleague in the car, then getting on the phone is a no-no (also because some meetings are obviously confidential). Let’s interact instead! In the lift, don’t whip out your phone and tap around or continue talking. In the toilet, for God’s gracious sakes, don’t talk on the phone while you take a dump! I’ve heard this many times before. There are practical reasons not to do these things – primarily because of confidential information being accidentally leaked out – but also – come on, it’s crazy having to chit chat while doing something in the toilet.

Tell ourselves: I am not that important. Yes. This goes against all the motivation, self improvement philosophies that keep saying to us how important we are etc. No. We are not that important. Life for other people will still continue on if I don’t respond in an hour or so. While it is common courtesy to respond to a text or email within a reasonable time, nobody is saying you need to respond immediately. I mean, back in our father’s time, they didn’t have email. How on earth are they supposed to reply “yes” to lunch immediately? So unless it’s life and death and remarkably exceptional circumstances, sometimes it’s ok to put the phone down.

But take note. Many times, busy-ness occurs to us because we are poor time managers. When we promise a deadline and we miss it, and we complain because now our boss is calling us, and we go: well, family time more important, let me tell him to screw off. That’s also stupid, and will probably cost you your job. If you don’t do something or did not hand in something, then take ownership of it and do it. And doing something doesn’t mean just finishing it. It means finishing it with the proper quality required. I’ve seen many so-called reports on my table that could have been better written by llamas. As in the animal in Tibet. If you can’t get your work done, then be prepared to work over time, over weekend to fix or finish it and don’t complain about it. Deadlines are deadlines. It has nothing to do with looking like busy – it’s our own fault for not being good time and quality managers.

LLB isn’t about that. It’s about Looking Like Busy even when we are not. It’s about: Oh, let me stay up late tonight just to show everyone I am working late and send out an email at 4 am to impress my boss. It doesn’t matter what time you work until – some people like me work best between midnight at 4 am, so that’s when we get stuff done. It doesn’t mean that I send an email out at 5 am, I immediately get my morning off!

We should take our time to look around us. Observe. Even in our workplace – it’s almost like a family since that’s where we spend most of our daily hours. We can observe nuances of a person, how someone reacts, the way he or she speaks – human connection is being lost in the new generation of logical and virtual connectivity. Crack a joke. Laugh. Remind ourselves of the humanity of life.

I am often reminded of how precious little time we have on earth when I am with my children. I am reminded of a time not very long ago when I was their age, looking up at my dad as he waited for me to finish my damn meal, but (because there were no mobile phones back then I guess), still grinning at me as I attempted the foolish task of manipulating noodles into my mouth with a spoon. And suddenly I am here. Same situation, looking at a mini version of me doing the same thing and taking so much of my precious LLB time.

Are we really, truly that busy, or are we just needing to vindicate our importance on this planet before our clock is up? Our importance isn’t in the glowing screen of emails or Whatsapp messages or Facebook Likes. Our importance is in the reflection of ourselves in the eyes of our children. Our parents. Our spouses. Our friends. Or in many cases, even our pets. It doesn’t matter “who”, as long as it’s not a “what” that’s reflecting back at us.

So, enough of writing this blog post for now. I am not busy now and I don’t want to appear to be busy. There will be times when I am, for sure, so I’ll enjoy the times I am not. It’s time to get some coffee and converse with someone – or just look at my kid and wait for fishes to evolve to birds. Say no to LLB this year! Happy new year!

PCI-DSS and the problem of Email

When we first started with PCI-DSS many years ago, most of our clients were service providers – payment gateways, financial institutions, and two banks. They had their challenges – in some cases, their scope were containable (payment gateways) due to the limitation of locations – and in the bank’s cases, at least they understood the massive headaches they faced in getting their entire environment compliant (with ATMs etc all in scope).

We saw a shift over to service providers OF service providers – hosting companies, Data Centers, BPO, outsourced call centers etc. Their challenges were somewhat different – call centers especially, because of their central hub of connectivity – their telephony system, and another big problem: Email. Email issues in PCI are longstanding and absolutely difficult to resolve – and it reaches to most businesses – travel agencies, hospitality, healthcare, insurance and so on .

When email first came out in the late 60s and early 70s, I can almost imagine how excited the users were. I wasn’t born then. But I recall back in the Uni days, early days when IRC/ICQ first came out, the level of excitement we had in communicating with an actual human being a thousand miles away INSTANTANEOUSLY was so mind numbingly out of this world. Back then, we spend countless hours in the school lab, playing these text based dungeons and dragons online called Multi-User Dungeons or MUDs for short, and completely almost failing all our subjects in the process. But the excitement was there: communication.

In that sense, email is almost half a century old and is still going strong. Primary communications are still through email, for business and personal communications. Email was never built to be secure. In fact, like the wonderfully robust (but now phasing out) SMS, when it was first used, no one imagined it would become the backbone of world communication as it is today. Nobody decided back then: hey, let’s prioritise security! Hey, let’s ensure that nobody can tap into this email of ours and see our messages! Email was like the conversation in the bar. Anyone could be standing around you, or sitting next to you and listening in to your conversation — and it was ok.

Until now, it isn’t.

Well, at least from PCI-DSS perspective.

“Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.” – Requirement 4.2 (PCI v3.2)

Unfortunately, a lot of business utilises email as the primary channel for PCI information. Hotels we deal with, travel agencies we have worked with – call centers etc – email is sent with card data because of the convenience and the efficiency of the whole process. When we enter these environments and suggest them to look for alternatives to e-mail, we invariably face a force so strong, it’s like hitting the stone wall of Helm’s Deep: Business.

Try as we might, we often end up talking about how we can use email AND pass PCI-DSS.

Now, it’s not impossible. But by the time we are done, we are basically looking at something so extraordinarily difficult or so expensive we invariably end up taking the path of least resistance (and least cost).

But how would you have EMAIL AND PCI-DSS?

First of all, we need to understand that like water, email exist in many forms. Or rather many locations.

First of all, it’s on the endpoints. This is where the email containing card data is sent and received. So, you have data at rest. All endpoints, whether agents or cashiers, or call center workstations are in scope as CDE (card data environment). All endpoints need to have their data encrypted. You could opt for a full disk encryption, folder encryption or simply data encryption: either way, your key needs to be managed appropriately as well. If you allow devices like iPads or phones to access, you are in a world of hurt, because basically it becomes impossible to secure these devices.

The second form is in transmission. Because email isn’t point to point, it hops through multiple relays, and multiple routing points to get to where it needs to be. At any point of the journey, your email could be sniffed, or leaked. Thankfully, many email services like Office 365 is able to encrypt TLS1.2 on transmission. Obviously this helps a lot – but that’s still only on transmission.

The third form is on the interim server(s) – mail servers, relays or anything else in between before the message ends up in the recipient’s mail boxes. Whether you are running your own mailserver or using a separate provider’s, the challenge is the same. How do you ensure that the messages at rest, be it temporary or permanent, are protected?

Pretty Good Privacy (PGP) has been often offered as a solution by kindly QSAs to assist in this matter. The problem with PGP is numerous. One, it’s very old. And more importantly, it’s very difficult to use. To make it easier, some email clients had tried to simplify it, but in doing so may render it vulnerable to attacks (see the recent EFAIL attacks here: https://efail.de/). And what if we don’t send over our public key? Or forget to encrypt the communication? At best, it’s similar to the problem that QSAs have with the manual muting int telephony systems. In theory, it might work (if vulnerabilities are removed, and if users use text-based only encrypted messages), but practically is a different story. Even before the recent researches to PGP’s vulnerabilities, everyone basically knows that PGP doesn’t encrypt meta-data (the information needed to route email) – so subject lines etc are all visible. It may not look like much, but a resourceful hacker will find these information gold.

If PGP is not used – how about some of the recommended secure messaging systems like Signal or Telegram? The problem is that these are not email technologies and these have issues of their own. How do you filter out Signal? If you do receive Signal/Telegram messages on your phone, it brings your devices all in scope. How do you run a PANScan on your phone? How do you secure every phone device there as per PCI requirement?

So how do we use Email for PCI?

The only solution it seems now, is to have a PCI-DSS service provider for Email and to use them. As we don’t represent any service provider, we won’t list them down here, but a simple google search will give you some alternatives. Be aware though, to go through their AoC and ensure that their email service is fully certified. It may be likely as well for the QSA to request more information on the encryption and key management as well, as to whether keys are managed by clients on (likely, such as in the case of cloud services), managed by the provider, or they can provide a client-managed key cloud solution.

That’s only half the solution (if that manages to pass). The second problem you have is to limit the endpoints accessing the PCI compliant service as these are considered CDE. Now remember, everything connecting to the CDE becomes PCI scope. So for the rest of the organisation using email for other purposes or needing email on their phone etc (let’s call this corporate email, vs the secure email for PCI) – the corporate email needs to be segregated from the secure email. This means separate solution. This means separate emails for corporate and secure – in most cases, meaning separate email addresses. While theoretically you can split email through subdomains, the main domain still needs to accept the initial email before forwarding – so for instance if you want to have pcidss@mycompany.com come to your specific secure email provider, unfortunately, it will still hit the MX record (Mail Exchange) of mycompany.com, which means your corporate email gets into scope. It’s an endgame there. Once corporate email is in scope, it’s over. Everything else becomes impossible to be compliant.

So you need to have mycompany2.com for secure email. It doesn’t seem too difficult and it might be possible – but let’s say you have 10,000 agents or clients or service providers in the field – how do you re-educate an entire workforce to get them to resend? Remember, you can’t incrementally ‘migrate’ – i.e continually use the old email and then forward it over to the secure email – you need to completely move over to the new email service and shut down processing card on the old email. This means a lot of lost business, a lot of customer experience issues, a lot of complaints – all adding up to business issues.

After that, isolating receiving end points becomes an issue as well. All endpoints come in scope so depending on your business, this could be a secure room with only a few systems, or a distributed nightmare if you have 200 branches or outlets receiving these emails. This isolated segment is CDE, so anything it touches becomes NON-CDE in scope. Yes. It’s a nightmare. Any shared services will be pulled into non-CDE but in scope. If you want them to also use their corporate email, corporate email comes in scope. All endpoints subjected to full PCI controls. On top of that, most QSAs will likely require additional controls like data loss prevention to be present in the gateway or endpoints if let’s say the CDE systems are hooking on to another potential channel to send email (like the corporate email). Key management also comes in play for the full-disk, folder encryption at rest in the endpoints.

Overall, the massiveness of using email for PCI is difficult. I think the whole point that business wants to use email for PCI data is either the ease of use, or not changing the current way of doing business. Both are not on the cards – even if email is continually being used, the ease of use is no longer there for PCI. Also, the customer experience and frustration could be ten times worse that searching for another solution like secure repository or customer portal, or tokenisation or something. The amount of complaints foreseen in implementing new procedures, new techniques, new solutions etc – these are not just operational security nightmare, it’s a business nightmare. Plus your entire business becomes hinged on the service provider being PCI certified. What if they decided not be? Or they fail their next audit? Or they get acquired by a competitor?

If a business is willing to embark on the complexity of getting email in scope for PCI, a humble suggestion we have would be to look for alternate solutions and have them on the table as well. Because once everything is scrutinised and risk is assessed, then they would have the full picture of what they are dealing with.

For more information on PCI-DSS or any compliance or IT advisory, please drop us an email at avantedge@pkfmalaysia.com.

PCI-DSS – Merchant EDC and Scoping

Many merchants we meet often tells us this: They are not in scope because they only do EDC (electronic data capture) – or payment terminal – transactions and these belong to the bank. Therefore, the bank has to ensure these are compliant and merchants do not need PCI-DSS since they do not store credit card.

Upon this, it’s the prevailing myth that storing credit card information is what PCI-DSS is all about, and as long as we avoid this, we don’t need to be PCI.

While non-storage of credit card does reduce scope SIGNIFICANTLY, it’s not the only thing PCI is harping about. It’s pretty clear in the standard itself:

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data and/or sensitive authentication data.

I don’t blame the merchants. They already have a hard enough time competing in a new digital landscape of virtual buyers and getting margins from their products – the last thing they need is a consultant coming in, brandishing some sort of standard called the PCi-DSS and the only thing that flashes through their minds is: How much is this sucker going to cost me, now ?

But it is what it is and we try to make our client’s (or in many cases, not even our clients, but anyone who calls us – and doesn’t even need to pay) life easier – and provide enough information for them to decide whether they need consultation, help or go it alone for PCI.

Yes – we technically consult them to potentially not consult with us.

But we believe in the long run, trust is something every consultants or advisors need to earn and it’s not something that comes with the territory. In fact, if I had a ringgit for every joke made about CON-SULTANS…we wouldn’t need to make any more new sales.

Anyway back to PCI. So the question to ask back the merchant is simply: “Great that you don’t store – but do you process card data?”

“No we don’t, the bank does it.”

“You don’t handle card data?”

“Handle? As in physically handle?”

“Yes”

“Of course (now somewhat flustered) – how do we get customer card if we don’t handle it?”

So in that sense – they answer their own question – if they are not there (handling the card), there is no transaction and no processing of card. Therefore, they are involved in the processing of card data. Does PCI apply? Yes, it does.

How does PCI apply?

Again, I am not going into the story of levels (how do be validated) vs controls (what to be validated) – already covered in previous posts on this, recently here .

But before our merchants get discouraged, most of their scope is very limited and in fact, I recommend them to try and go it alone.

Scenario 1

Their EDC connects directly to the bank through a dial up or cellular. No storage of card.O Only flow is to receive card, dip it, wave it and pass it back to the customer. That’s it.

Look at SAQ B. Last check, there are 41 questions. You don’t really have too much complexity in there, except to just ensure information security policy is there, physical security of the EDC is there etc. It’s not that difficult and really, most merchants should try to at least get these done.

Scenario 2

Their EDC connects to the bank via the merchant broadband.

This becomes trickier as this means the card data potentially passes through devices in the customer premise. This also includes when the branch locations sends credit card information back to the HQ and uses the HQ own internet set up to send to the acquirer. Another permutation here is that the acquirer would have their own equipment in the customer HQ where all branch data is consolidated to and sent.

The above scenario is more often found in very large Merchants.

In this case, the best bet we can go for is SAQ B-IP, with around 82 questions. Again, card data cannot be stored (full 16/15 PAN) or Sensitive Authentication data like CVV or track or PIN cannot be stored. In this case, PCI can still accept SAQ B-IP but most of the interim systems will be in scope for SAQ B-IP controls.

The trick here is really the SAQ B-IP requirement:

“The standalone IP-connected POI devices are not connected to any other systems within the merchant environment (this can be achieved via network segmentation to isolate POI devices from other systems);”

This is not as easy as it sounds as many environments still have their EDC all in a flat network as any other systems, and part of the requirement will need these EDCs to be properly segmented out to avoid pulling in the entire corporate into scope. This becomes complicated further if EDCs connect via wireless.

Another thing to be aware of is that you probably need a letter or confirmation from the acquirer that the entire card flow is encrypted end to end – meaning from the EDC all the way to acquirer environment, rendering the merchant environment as simply a transition point. Think of a road, being used by an armored truck that the merchant has no access to, as they do not have access to the encryption keys.

Other than that, depending on the number of segments you have – segmentation penetration testing is probably another headache you need to look at. However, this can be done via sampling, so consult with either the QSA or PCI expert for an idea of what an acceptable sampling is. Due to the risk being rather low, the challenge here is just to ensure that all setup is standardised across stores.

Your EDC shouldn’t be relying on your POS machine to send card data or process. The POS should only be passing transactional information and any information obtained from the EDC should be truncated PAN (if necessary) or only transaction information.

There you go.

With these, you can probably navigate through the initial headache of PCI for your merchant environment! Let us know at pcidss@pkfmalaysia.com if you have further questions! Since we sometimes consult you not to consult us, it would definitely be an interesting discussion!

© 2020 PKF AvantEdge

Theme by Anders NorenUp ↑