Why a Risk Management Template Can’t Be The Only Answer

Research recently published by the Online Trust Alliance discovered that 90 percent of the data breaches that occurred in the first half of 2014 could have been easily prevented. A statistic such as this confirms that risk, including vendor risk, can be identified and managed. Of course, not every risk can be caught, and not every incident can be prevented (hence, the 90 percent figure instead of 100 percent). However, organizations performing due diligence in working with their vendors can mitigate much of the risk that could turn into something more serious.

A risk management template is a tool many companies employ to determine vendor risk. This approach standardizes the questions asked of a third party during the assessment process. Such a template is important in assuring the right issues are being addressed, but using it is just one step in your vendor risk strategy. Here are some reasons why a risk management template can’t be the only answer:

Ease of Use

The benefits of a risk management template won’t be realized if it’s too difficult for you to understand or make changes to, or if your vendors can’t decipher what’s being asked of them. You might not get the answers you are seeking during the assessment process, which will affect your subsequent analysis and remediation decisions. Templates included with automated vendor risk management solutionsoften combine the thorough scope you seek with an easy-to-use interface that benefits both you and your responding vendors.

Returned Data Must Be Strong

The goal of a risk management template is to ask all the right questions in order to receive thorough answers en route to the best data possible. A completed screening will not save you time if you must go through the assessment, question by question, just to give you the pinpointed information you hope to gain through the process. Automated solutions that employ risk scoring can provide the strong data necessary for your analysis. With these ratings, risk can be broken down into major categories (e.g., control risk, business profile risk, relationship risk), and then be subdivided into specific subcategories as well. Want to know how well a vendor handles physical security? A risk management template combined with risk scoring can give you that focused data.

Returned Data Must Be Streamlined

Metrics can provide a deep delve into a vendor’s risk profile, but at the same time, they need to be easy to understand. After all, you don’t have time to compute these ratings yourself—especially at the comprehensive level set forth by a thorough template. Moreover, execs in other departments might see these assessments, so a basic score will facilitate their understanding as well. Many solutions use streamlined rating systems (for example, a scale of 1 to 1,000, with bigger numbers equating to more risk) and color coding to complement the data requested by the template.

The Assessment Is Just the Beginning

A risk management template gets the assessment process going. Your remediation decisions are the logical results of that process. If a template does its job well, you will be armed with the most complete data to embark upon a course of action that will reduce risk. The key is following through on what the assessments are telling you. The risk management template is merely one of the drivers of an entire vendor strategy.

4 things to do after your credit card has been hacked

As many as 40 million Target shoppers who hit stores in the three weeks after Thanksgiving had their credit and debit card information stolen.
If you’ve visited a Target (TGT, Fortune 500) over the past several weeks, there are four steps you should take immediately to protect yourself.

1) Check your statement. It may seem obvious, but the first step you should take is looking for any charges you don’t recognize on your statement.
Don’t just look for large charges, either. Hackers often ping an account with micropayments of only a few cents to check the viability of the account. So if you see purchases of 6 cents or 11 cents, that could be a sign your information has been compromised.

2) Call your credit card company, bank and Target. Credit card companies generally offer customers fraud monitoring services at no cost, and customers aren’t on the hook for any fraudulent charges. Typically, the card issuer or the merchant is responsible for those costs.
But don’t wait for your card company or bank to call you. Let them know you’ve shopped at Target recently. All you have to do is call the number on the back of your card.
Related: 6 most dangerous cyber attacks
Target has also set up a phone line for customers who suspect there has been unauthorized activity on their accounts. Shoppers can call 866-852-8680.

3) Replace your credit card, change your PIN. If the bank didn’t already do this for you, do it yourself. This will put an end to any more fake charges.
Once you receive your replacement card, make sure to update your new card information with any companies that have your account on file for automatic payments or monthly fees, like your Apple (AAPL, Fortune 500) iTunes account or cable provider.

4) Sign up for a fraud monitoring service. If you’re concerned about credit card theft going forward, LifeLock and other similar threat detection services claim that they can monitor your card activities and alert you when your account has gotten into the wrong hands. Most credit card companies offer similar services for free, but threat detection services say they go above and beyond, including offering protection of credit card information on the Internet and even lost-wallet insurance.

Five Ways PCI DSS 3.0 Makes Security a Shared Responsibility

In 2005, CardSystems Solutions, which was a top payment processor for credit cards such as Visa, MasterCard, and American Express, was hacked. The consequences were enormous: 40 million credit card accounts were exposed in the cyber-attack, and CardSystems Solutions was bought out by the end of the year.

You’ve probably never heard of CardSystems Solutions, but Visa, MasterCard and American Express got your attention. Even though a vendor may be responsible for the data breach, the brand name is the one that suffers the public relations disaster.

Since 2005, cyber-attacks have only become more sophisticated. More than ever, companies and their vendors must work together to protect cardholder data and achieve compliance to the newest iteration of the Payment Card Industry Data Security Standard. Here are five ways PCI DSS 3.0 makes security a shared responsibility:

1. PCI DSS 3.0 compliance is not optional.

Any business handling cardholder data must be PCI compliant or risk fines from the major credit card companies following a breach. However, the financial fallout goes beyond penalties: Enterprises may find themselves spending money to clean up a PR nightmare. Proactive vendor risk management can stave off liabilities before they become breaches.

2. Neither are periodic vendor assessments.

Periodic vendor assessments can help companies know what they don’t know. With the CardSystems example, the organization had been audited and found to be standards-compliant in 2004 (the PCI hadn’t quite been introduced then), but an investigation after the breach found it wasn’t in 2005. Assessments must be thorough as well, partly to ensure a vendor that says it’s compliant actually is. Following PCI DSS 3.0 is beneficial to merchants, but some third parties may think they are following the standards but in fact aren’t. Vendors should want to know what they can do better to protect cardholder data.

3. Responsibilities must be defined.

A new requirement of PCI DSS 3.0 mandates a clear delineation of what party (the company or its vendor) is responsible for what part of the compliance. On first glance, this might be contentious because vendors may feel they are being charged with more responsibilities than they want. Coming to this delineation may require negotiations, and after the initial shock, here’s where companies and vendors can work together to decide how they will achieve PCI DSS 3.0 compliance.

4. Documentation will get better.

With PCI DSS 3.0, service providers now must provide documentation when they are handling cardholder information. Also, noncompliance becomes a bigger headache for vendors. Though this may seem to set up an adversarial relationship between the third party and its customer, again, it offers the opportunity for the two sides to become partners to achieve compliance. A company that knows a vendor is striving to follow PCI DSS 3.0 can focus its risk management efforts toward the where they are most needed, either with the vendor or toward more challenging third parties under contract. And of course, the reputation of a vendor in compliance is more likely to grow.

5. The little guys will get the help they need.

For smaller merchants and vendors, PCI DSS 3.0 is going to be a challenge because many who never were concerned about compliance suddenly must follow the updated guidelines. For example, a new requirement directs companies to regularly inspect point-of-sale (POS) machines for tampering, but some merchants may not have a clue how to do this. Companies can share the security responsibility by guiding their vendors through the new requirements of PCI DSS 3.0. By informing third parties what they need to do and offering advice on how to do it, enterprises encourage compliance and minimize their own risk.

 

Six Ways PCI DSS 3.0 Impacts Vendor Risk with Payment Application Developers

In 2012, Global Payments, a credit card payments processor, was compromised, and the credit card information of 1.5 million customers was stolen, costing Global Payments $94 million dollars in penalties and reparations.

A breach at third parties handling your payment applications may cost you as much, but companies still must conduct robust vendor risk management with these developers. Here are six ways version 3.0 impacts vendor risk management with payment application developers:

1. PA-DSS compliance doesn’t mean PCI compliance.

The new update clarifies that applications that follow PA-DSS standards are still within the scope of a PCI DSS audit. From a vendor risk management standpoint, you or the developer can’t assume that PA-DSS-compliant software is necessarily also complying with the PCI DSS.

2. Training standards

Vendor personnel with any PA-DSS responsibility must receive annual training. Companies must insist upon this from their vendors and check for as part of their vendor risk management initiatives.

3. Application updates

Vendors have to provide written details of any updates to their applications, which should give vendor risk management staffs more visibility into their payment application developers.

4. Risk assessment during the development process

The PA-DSS update mandates that vendors must incorporate risk assessment techniques into their software development, meaning knowledge software can be thoroughly vetted before you even screen the vendor.

5. Differing passwords

Vendors now require a unique authentication credential is now required for each individual customer environment. If the password information for another company is breached, the hacker won’t automatically possess the info for your company as well.

6. Source code integrity

Under the new standards, payment application vendors must verify the integrity of source code during the development process. Best practices in coding techniques are mandated as well. Furthermore, only people directly involved with an application should have write access to it. Vendor risk management screenings may ask about this final point; PA-DSS now requires it in the hopes of preventing unauthorized employees at the vendor from inserting their own, potentially invasive, code.

 

Six Recommendations for Maintaining PCI Compliance with 3.0

Read the financial news on any given morning and you’ll find a story about a data breach costing a TK organization millions. Some companies don’t take PCI compliance seriously and don’t fully comprehend the risks of ignoring compliance. In fact, a recent ControlScan survey discovered that 69 percent of Level 4 merchants (the smaller businesses on the spectrum) don’t believe they will fall victim to a data breach, and nearly half of the survey respondents had little or no familiarity with PCI DSS.

Many large organizations know better but still must take steps to ensure their vendors are following PCI compliance, particularly if third parties are handling an organization’s payment data. A company’s efforts to protect against data breaches won’t mean a thing if customer records are compromised due to the negligence of a vendor. Here are six recommendations for maintaining PCI compliance with the new 3.0 standard:

1. Make no assumptions

If an IT person at a vendor tells you a new piece of software or a revised process is following PCI compliance guidelines, should you just take their word for it? Third parties may think they are following PCI compliance best practices because they use anti-virus software and outdated encryption methods, but without a thorough auditing process and careful risk screenings, you can’t be sure. Be sure to assess your vendors against the standards!

2. Don’t store what you don’t need.

Credit card numbers are the Holy Grail for cybercriminals. From a merchant’s standpoint, the level of protection needed to guard such data is immense and the consequences of a breach are crippling. So if storing cardholder data isn’t necessary, don’t let your vendor do so.

3. Upgrade to passphrases.

PCI DSS 3.0 recommends that merchants consider using passphrases instead of passwords. Passphrases, are tougher to decipher than even the most complex passwords and will help in efforts to achieve PCI compliance.

Passphrase

An alternative to using a “password” is to use a “passphrase”.  A passphrase is a sequence of words strung together to create a “password”.  To do this, you need to erase your traditional thoughts of building a password.  Instead of worrying about how many characters your password needs to have, consider multiple words that can be combined to make a phrase.  A passphrase is made up of four or five short words, put together in a way that makes sense to you.  While your “password” may be longer (which makes it more secure), it will be easier for you to remember.  Here are some examples:

“My dog just turned eight.” = “MyDogJustTurn-D8”

“Look at all the snow today!” = “LookatAlltheSnow2day!”

“I love to go fast in my car!” = “Ilove2goFastInMyCar!”

Passphrases must meet all of the requirements of Traditional Passwords. One final tip, you should choose a phrase that you can easily remember; however to increase security avoid common phrases, lyrics, titles, and quotations.  Your passphrase should be words that you put together and have meaning to you.

4. PA-DSS

Along with the PCI DSS update to 3.0, the Payment Application Data Security Standard, or PA-DSS, was updated this year. These guidelines address applications and software used for any part of an electronic transaction. Becoming familiar with PA-DSS 3.0 is imperative, but never assume that just because an application is following PA-DSS guidelines that it is also in line with PCI compliance standards. Check both.

5. Simplify.

Achieving PCI compliance can be a detailed task, but with enough advance planning and due diligence, it doesn’t need to be. From a vendor risk management standpoint, using an automated solution can streamline the assessment process and get your third parties all the more closer to compliance in much less time.

6. Don’t settle for complacency.

Many merchants are audited once a year for PCI compliance, but one positive screening doesn’t mean a vendor is compliant forever. Technology changes, processes are updated, cyber-attacks become more sophisticated. Staying vigilant and working with your vendors toward PCI compliance can reduce risk and protect the cardholder data of your customers.

What does your company recommend to vendors trying to achieve PCI compliance?

 

Security Basics 101

Remember the basics – Be cautious about what you post and who you befriend on social media. A new “friend” may not be a friend at all. He/she may just want to learn more about you and use it for malicious purposes. Use strong passwords. Passwords should be at least six characters long and include a combination of symbols, letters and numbers. We also suggest using passphrases, which are harder to guess, such as “mydogisnameddexter.” Businesses should conduct security awareness training that covers these tips and others so that employees have a better understanding of how to avoid becoming a victim.

Think twice before opening an attachment or link – Criminals often send emails that contain malicious links or attachments. Once the receiver opens the link or attachment, malware is planted on his/her machine. Before clicking on such lures, confirm with the sender that he/she did indeed send it. If you do not know the sender, it’s best not to open it.

Perform frequent penetration testing – Employers should have frequent penetration testing performed on their networks, applications and databases. Penetration testing identifies vulnerabilities within a business’s security so that business leaders can fix the weak spots before it’s too late.

See the threats – Security technology such as Security Information and Event Management (SIEM) collects data from a business’ network, databases and applications, and alerts them in real time to any threats or unusual activity. This kind of technology helps organizations lower their threat detection and reaction times, which greatly reduces their risk and the potential for damage caused by undetected threats.

Don’t forget about mobile – According to the 2013 Trustwave Global Security Report, our security researchers saw a 400 percent increase in mobile malware in 2012. Malware, policy violations, data loss, as well as unsupported and insecure mobile applications, are creating new security risks. Business leaders must add security controls to help protect the data to which mobile devices have access. For example, technology such as Network Access Control enables granular control over network access and continuous monitoring of corporate-sanctioned and BYOD endpoints to help prevent malware and other threats that can harm infrastructure and leave businesses vulnerable to attack and data loss.