The Dark Side of PCI Compliance — Beware the QSA Sith Lords

Over the years we’ve spent working in the data security industry, we’ve talked to countless QSAs, and companies that have had QSAs audit them.

Observing from a neutral perspective, it became clear to us that how quickly a company can attain PCI compliance (or, how quickly they can get secure), is dependent on the quality of service the QSA provides them.

If you got wrongfully charged for murder, you wouldn’t want a shabby lawyer to represent you in court — you’ll be gunning for the best you could afford.

In the same way, it’s ludicrous to even consider working with a substandard QSA partner. If a hacker catches you being any less secure than you should be, your company is going to be in for a world of hurt.

The most vital deciding factor for how much good a QSA can do for you is this: How much do they care for your security?

Because once a QSA goes rogue, all ethics are off the table, which may lead to some practices that will be detrimental to your state of security.

We’ve heard of all kinds of terrible QSA partners; some make no secret of the fact that they are in it only for the money, and others who just want to ‘get it all over with’ and move on to their next client.

These QSAs are willing to go where no QSA should go: incentivizing their employees to perform more audits instead of prioritizing thorough checks, letting their clients write their own onsite reviews and simply signing off on them nonchalantly, and even outsourcing parts of the job to low-cost countries, who will not provide the level of attention you require.

What A Good QSA Looks Like

SUPER-NANNYWhen you pick a QSA partner to work with, keep an eye out for these gleaming traits.

A good QSA will maintain a vested interest in you, and for the sake of your security, is willing to be tough, yet fair. Imagine a super nanny-type relationship: if you try to cross the line or cut corners, you’ll get the naughty stool.

They’re willing to go the mile because they know that if you get hacked, it’s a damage to their reputation.

Perhaps most importantly, they see themselves as being an extension of your business — your security partner.

Remember, not every QSA is run by upstanding boy scouts who are out to make your security their priority. Perform a thorough background check, including checking their LinkedIn company profile, which should give you a good idea on their manpower, and dedication to the craft.

No doubt that it’s easier and quicker to just let a bad QSA run its course, but never forget that the entire point of PCI compliance is being secure- it’s so much more than just being a hurdle to leap over.

(Image source)


PCI DSS 3.1 Changes – A 60 Second Guide

What’s the main change in PCI DSS 3.1?

The way we transmitted data securely on the internet using SSL encryption is no longer considered secure due to recently found weaknesses. As a result, the PCI DSS has been updated to remove SSL from its definition of Strong Encryption which is required to keep data safe.


What should we do?

Disable SSL entirely across all systems, and update your applications to use the latest encryption protocol, TLS v1.2. More information on how to do this can be found in the official PCI SSC information supplement.


When’s the Deadline?

In the interests of security, ASAP as any data you transmit using SSL is at risk. However, the PCI SSC and supporting payment card brands have given merchants until 30 June 2016 to comply with the new standard.



Who Moved My Data? An Amazing Way to Deal with Understanding Your Company’s Sensitive Data Risks

At Ground Labs, we’re always stressing the importance of understanding who wants your data, and where it can be found on your systems.

As Sun Tzu is famously quoted, “know your enemy and know yourself, and you will find naught in fear for 100 battles”.

But if it were a simple task, we wouldn’t be reading about hackers making off with millions of cardholder data records every other week. While companies today are significantly more technologically advanced than they were 10 years ago, the data risks presented by new technologies has grown in tandem.

Cloud storage, the insurgence of Bring Your Own Data(BYOD), and even seemingly harmless functions like autosave can pose a huge threat to your company’s data security.

Would the average IT security expert think of looking in .bak and .sv$ files for sensitive data?

Assuming a person was that thorough, does he have the time to be?

The good news is, Ground Labs’ data discovery software find sensitive data on systems much more thoroughly and quickly than a human ever could.

However, understanding your data is so much more than just knowing where it is and securing it.

Using our products in conjunction with good security processes amplifies their effectiveness by leaps and bounds. Here are a couple of good places to get started:

Data Flow Diagrams

An example of a data flow diagram

One good way to start understanding your data from ground zero is by creating a data flow diagram. What a data flow diagram does is provide a visual representation of the way information flows through a system, which makes it easy to comprehend just what in the blazes is going on in your network.

As it’s often said, sometimes it’s about the journey, and not the destination. And we guarantee that on your epic quest to discover how data flows through your network, you will discover countless bad practices that you can snuff out, like stopping that one guy who takes sensitive data out of the office on a thumb drive and connects to unsecure WiFi networks.

Speaking of oblivious employees, education also plays a big part in keeping your company secure.

From the CEO to the coffee-making intern, every member of the organisation should understand and carry out good security practices. Even the most secure and expensive of firewalls are rendered useless when an employee lets hackers in through a phishing attack.

Understanding your data is much simpler once there are no rogue agents moving data around outside of your IT security teams’ knowledge.

Rinse and Repeat
Running a business is big boy work, we get it. Things are always coming at you from all directions, and seemingly less important things fall into the to-do pile, and more often than not, end up not getting done.

This tends to happen especially often with data security. In a survey conducted by Verizon, 80% of companies that were found compliant with the Payment Card Industry Data Security Standard (PCI DSS) were found to have fallen out of compliance the very next year. They went through all that trouble of securing themselves, but back-slided and essentially wasted all their initial efforts.

Compliance is Not a Point in Time, But an Act of Continued Vigilance

Review your Data Flow Diagram every few months and make sure it’s still relevant and accurate. Make sure new employees receive the same training that their seniors have. Run scans periodically, so that any threats are detected immediately.

Ground Labs’ data discovery tool for large organizations, Enterprise Recon, makes it easy to keep a vigilant eye on your data. Schedule scans to run periodically, and receive detailed consolidated reports right in your email inbox.

Free trials of Enterprise Recon are available on our website, so if getting free scans for 30 days sounds like something you may be interested in, do stop by. See for yourself how easy our tools make it to not only understand, but take control of your data.

(Image source)

Are You Staying in a Non-PCI Compliant Hotel?

When you look for a hotel, the decisive factors are typically things like the price point, the quality of the room, and the ultimate deal maker/breaker: whether they have free WiFi. One of the last things on your mind in the decision-making process is whether or not your prospective hotels are going to handle your personal data with the appropriate level of security. Should it be?

If you’re staying in a hotel for any (legitimate) reason, chances are you’ll be paying with a credit card. Given the number of people who stay in that same hotel in a given year who do the same, you’re looking at a stockpile of guest credit card information being stored in that hotel’s database. And like bees to honey, that hotel will end up attracting the bug-eyed glares of a most unwelcome group of people- hackers.

According to the 2014 Verizon Data Breach Report, the accommodation industry was the 4th industry most often hit by data breaches last year, with a total of 137 incidents reported. It’s not all just some strange coincidence; hackers are learning fast that certain industries are less-protected and yield greater rewards.

Hospitality is a $457 billion industry, and it’s hard to imagine a hotel’s cyber security system being as airtight as a bank’s (which isn’t to say banks don’t get hacked either). In addition, many hotels are part of global brands which tend to standardize their computer systems, meaning that if you manage to exploit a vulnerability and hack into one location, you’ve just hacked into every other hotel in the group too.

The Accommodation industry is hit often, and hit hard.

Every year Ground Labs sponsors HITEC, which is the largest single gathering of technology and revenue experts from the hotel industry. Our team always has very interesting discussions with hotel property managers who are still trying to figure out data security across their fleet of hotels, often spanning multiple different brands. Needless to say, security of credit card information is a real challenge and something the hospitality industry hasn’t solved yet.

Dell Secureworks states that hackers can make between $4-28 per stolen credit card record, depending on the issuing card brand, country of origin and amount of personal information included. The extra personal information can be procured in a variety of ways, such as by using a RAM scraping malware to steal data every time a card is swiped for a transaction, or if your personal data is being illegally collected by the hotel when they double swipe your credit card.

Using Enterprise Recon, a well-respected hotel group in London found a non-compliant application supplied by their payment processor was storing a full copy of every credit card transaction processed on their Windows desktop computers. This was occurring even after their payment processor had given assurances that the software was PCI compliant. This is just one story, and there are dozens more we know of, and probably thousands more we don’t know about.

So what can you do about it? Unfortunately, aside from paying in cash, there are no proactive measures available; you can’t exactly call up a large brand and ask the front desk for a copy of their PCI Report On Compliance (ROC).

For cardholders, it’s a matter of keeping an eye on your credit card statement every month for fraudulent transactions. In the event that credit card data is stolen without your knowledge, you are not liable for those transactions and will be entitled to claim the money back from your issuing bank.

In the hopes that it doesn’t have to come down to that, it’s every hotel’s responsibility to safeguard sensitive guest data. The PCI DSS offers a set of guidelines for building a secure system, which covers all aspects of operational and tactical security including encrypting or deleting cardholder data that is being stored in the hotel’s network. Many hotels have shown compliance to the standard at some point in time, but it’s up to the hotels to stay vigilant and constantly monitor their systems for vulnerabilities and threats. There’s over 17,500,000 hotel rooms in the world which equates to 6,387,500,000 room nights to sell – and that’s a lot of potential credit card numbers being stored.

It’s the same task faced by every company that deals with sensitive customer data, and although the cost and effort required to stay secure is not small, you’ll find that it heavily outweighs the penalties suffered by becoming the next big data breach.

After all, who wants to stay in a hotel that doesn’t look after your personal information?

Stop Wasting Time on PCI Remediation: Part 2

In the previous instalment of our ‘Stop Wasting Time on Remediation’ series, we highlighted how establishing a strong working relationship with your Qualified Security Assessor (QSA) is an essential foundation for achieving a PCI remediation plan. But just as important as it is to work well with outsiders, there needs to be a strong sense of camaraderie within your organization as well.

Data security is a company-wide responsibility

Imagine you’re leaving work late one night when you see a suspicious person attempting to gain forceful entry into your office. You wouldn’t just walk away, thinking that your company’s security guards will handle the situation, would you?

It’s the same with data security- every additional person who gets involved is another pair of eyes ready to detect threats. To attain the coveted title of PCI compliant, remediation cannot be carried out solely by your company’s IT department. In fact, it is arguable that the responsibility of remediating cardholder data risks lies more with the people who handle that data to begin with- your company’s employees. They are the ones acquiring and processing cardholder data on a frequent basis, so they should share the responsibility of safeguarding that very same data. Or more to the point – if the employees created your compliance issues in the first place, why not empower them to fix it too?

Teamwork is essential to keeping your data systems secure.

Everyone from Finance to HR have to get in on the remediation act and, going beyond that, help out in the never ending responsibility of keeping hackers out.

Because the entire PCI compliance process including remediation must be repeated on a continual basis, managing the human factor of remediation becomes an entirely different challenge. The responsibility of making sure all employees are onboard for the long haul of data security falls on Management, who have to build a strong understanding of why data security is something to be taken very seriously.

Beazly reports that there has been a 10% increase from 2013 to 2014 in breaches that can be attributed to someone in the company. Hackers are counting on someone in your company to slip up; all they need is one employee to click a malicious link to initiate the first step towards creating a doorway into your computer network.

Aside from cardholder data, there are many other types of sensitive data that require securing, such as personal identification numbers and healthcare information.

To further highlight the problem, here’s a horrible truth- 9 out of 10 employees knowingly violate policies designed to prevent data breaches. Kind of makes you want to succumb to the feeling of ennui and despair, doesn’t it?

Peter Lefkowitz, vice president and chief privacy officer at Oracle, believes that part of the problem lies in employees not comprehending data protection policies. In this article from The Privacy Advisor, Lefkowitz elaborates on how policies should be as simple to understand and follow as possible. “My experience has been most employees are happy to comply with policy, but the policies need to be made understandable; the policies need to be communicated to employees, and employees need to be trained on the policies in a way that fits what their job is.”

It does get progressively harder to enforce these policies the larger your company is, but we’re coming full circle to the original point- all employees should feel that data security is everyone’s responsibility, and it’s your job to cultivate a working environment that embodies that mindset.

The most practical way of making employees more aware starts with changing your security violation alert methodology. Traditionally security alerts are something that only the IT security team will see and hence employees are oblivious to the real-life threats constantly being faced by the company. If you run platforms which are monitoring for violations of security policy, consider setting up any alerting capabilities to be sent directly to the staff members committing these violations. Usually these violations occur accidentally so by detecting these quickly and immediately alerting, staff members will quickly learn what is good behavior vs bad behavior.

A simple example rests within the Ground Labs Enterprise Recon product. Its most popular feature is the ability to continually monitor for cardholder data storage violations and generate an alert that is directly sent to the custodians of that data – usually the employee sitting on the system where the violation occurred, or their immediate manager / team leader. Whilst this outcome in itself is a great foundation for security, the more important side effect is the change in behavior that occurs among employees. By knowing that systems are in place to monitor and alert when an employee or application stores cardholder data in an insecure way, they immediately become aware of what not to do, and become more interested in wanting to understand how not to generate an alert or more to the point – how to properly handle cardholder data in a PCI compliant manner.

Very quickly you will see reduced occurrences of cardholder data being sent via email or spreadsheets being used as mini-customer databases containing full payment details. They know if they do this – an alert will be generated and there is potential consequences that come with that.

In the ideal security-aware company, employees are alert to threats and know how to react to suspicious activity. There should be a clear procedure on who to inform once a threat has been identified, so that threats can be dealt with as swiftly as possible.

Start by changing the mindsets of employees by letting them know that security is everyone’s business, not just the tech nerds’.

(Image source)

Stop Wasting Time on PCI Remediation

Remediation- It’s one of the toughest areas of the PCI compliance journey and something that just about every organisation struggles with. To add more pressure, Visa recently confirmed its tough stance on organisations who don’t yet have a proper remediation plan, enforcing steep fines commencing January 1 2015.

In an effort to provide more useful guidance for those caught between a PCI rock and a remediation hard place, this 3-part series will offer some simple strategies on how to re-think your entire remediation process and achieve PCI compliance in a realistic timeframe.

Part 1- Form a partnership with your QSA

Your QSA is not your enemy

We touched on this point briefly in a previous blog post titled “It Won’t Be Your QSA Who Gets Thrown Under the Data Breach Bus”, but it’s so important that we want to expand on this simple concept: Qualified Security Assessors (QSAs) are an invaluable comrade in your journey to PCI compliance, and it’s imperative you work in perfect tandem with them. They don’t want you to get breached and so they’re job is to be as thorough as possible in helping you to assess security risks that might lead to a data breach.

If you put up the walls as soon as the QSA arrives onsite – you’re wasting both your time and their time – which you’re ultimately paying for! It’s also a horrible place to build a relationship of trust from.

Don’t muscle your QSA into signing off something that isn’t secure.

You can’t remediate something by forcing your QSA to turn a blind eye, yet many companies seem to establish estranged relationships with their Qualified Security Assessor (QSA) in an effort to invest the bare minimum towards remediation. Just about all QSAs have seen clients attempt this approach at some point, and it’s a mindset that dooms a company’s’ compliance efforts to fail right out the gate. This common story often leads to companies attempting to muscle their QSA into a signoff of things which are simply not secure, and if the QSA rightfully refuses then they will simply move on to find a QSA who will sign it off without scrutiny.

It’s okay to be honest – In fact your QSA will respect you for it!

QSAs are not invaders bent on pillaging your lands, so there’s no need to wall them out.

By opening up to your QSA and fully disclosing all issues are and leveraging their knowledge and experience, you’re going to end up saving a significant amount of time and money. QSAs must be allowed to give you open and honest feedback on which parts of your plan are best practice and which parts you should reconsider.

Both of you will be able to sleep a lot better at night knowing exactly what the real issues are.

An easy-going QSA isn’t doing you any favours

Picking a QSA is like picking a Nanny for your children: you want someone strict yet fair, who is able to feel personally invested in the child’s upbringing. You want someone with moral integrity who you can trust long-term. The last person you want is someone who will send the kids off to bed at 7pm and just spend the rest of the evening watching TV.

In all seriousness though, your QSA should be the perfect blend of experience, technical knowledge and character. QSAs wants you to be breach-free as much as you do- it’s bad for business if word gets out that their client got breached. Every system contains a security risk, so don’t be afraid to admit to weaknesses your own systems might have; it’s perfectly normal for a young healthy company to undergo changes. There’s nothing you could be hiding that your QSA probably hasn’t seen before, and they will appreciate your honesty and respect you for it.

“My name is John and I’m not as secure as I thought”

The first step in rehab is admitting you need help, and data security is no different. Using ignorance as a basis to achieve compliance will lead to a far worse situation. QSA’s are trained security professionals, so hear them out, and have your guys work with their guys.

Leverage on your QSA’s experience – they’ve seen it all before.

Ok so you’ve opened up to your QSA, you’ve both discovered things that you weren’t expecting, and now its time to fix them. What to do next?

Don’t be afraid – Ask them! You’re not the first organisation to uncover security issues you didn’t know about and you certainly won’t be the last. QSA’s have seen it all and they’ve also seen how other organisations went about resolving similar issues. They can use this knowledge to help you understand what works and more to the point, what doesn’t work.

For an added layer of assurance, some organisations contract with separate QSA firms – one to undertake the remediation work, and the other to provide the assessment services to validate compliance with the PCI DSS. However it’s important to note that there is no specific requirement around this. A good QSA will warn you of any potential conflicts of interest they can see and talk this through with you in an open and honest manner.

You should also ensure your QSA isn’t stating that you MUST use a particular solution to solve a problem. Be weary of QSA’s who offer in-house solutions they’ve built as a way to remediate issues. Chances are they’re probably not best-of-breed when compared with independent specialist vendors and are primarily sold by leveraging your existing client relationship.

In summary – Treat the annual event of a QSA visit as an opportunity to further improve your security and learn new things, not as a chore you have to get through like a dentist visit. QSAs are a wealth of cybersecurity information, and you should do all you can to pick their brains and learn how you can continually improve your company’s data security posture.

How do you quantify a data breach? This calculator makes it simple

Working with the renowned Ponemon Institute who publishes the annual Cost of a Data Breach survey, IBM has developed a Data Breach Risk Calculator that lets you know empirically how much financial damage your company will suffer if it fell victim to a data breach.

This handy tool leverages all the latest Ponemon Institute 2014 data and takes into account multiple factors, like the size of your company or where you’re located, to give you a very clear understanding on how a data breach can impact your business.

According to this year’s Ponemon data, the average cost per compromised record is $213, and if you multiply that by 23,647, the average number of breached records in 2013, you’re looking at an average loss figure of over $5 million.

In addition to the monetary losses of suffering a data breach, it’s important to understand the reputation drop you’ll incur- this research from SafeNet reminds us that 65% (or more) of customers are unlikely to do business with a company again after a financial data breach.

If your organisation already uses Card Recon, Data Recon or Enterprise Recon, you already have the ability to calculate the total amount of sensitive data found on a single system, or across the entire network (Enterprise Recon only). Simply take these numbers and enter them directly into the Data Breach Risk Calculator to establish a financial risk number. This is a valuable piece of information to have when discussing current risk positions in the organisation with your executive.

In fact you may find propositions you’ve been presenting within the business for improvements in data security will rapidly move up the priority list based on this data alone. The simplest strategy you can employ is finding and then removing all sensitive data, leaving nothing for hackers to steal – $213 * 0 = $0.00.

Try the Data Breach Risk Calculator today. And if you don’t have an accurate count of what sensitive data is being stored, take a free trial of a Ground Labs data discovery tool. It takes less than a minute to start.

Not yet PCI compliant? The fines begin January 1, 2015

If you’re a 3rd party service provider handling any cardholder data, or a merchant processing more than 1 million transactions per annum this latest news from Visa is relevant for you.

Visa has reiterated that PCI compliance must become a high priority for service providers and level 1 / level 2 merchants, and warned that failing to demonstrate compliance by January 1 2015 will result such as large fines of up to $25,000/month USD ($300k pa) and removal from the Visa Global Registry of Service Providers.

This strong position from Visa is not surprising given the frequent occurrence of large-scale data breaches recently, with the latest data breach being announced this week by another large company, United Parcel Service (UPS), which was reported to impact 105,000 transactions across 51 stores across the United States.

If your executive has continued to question the cost of PCI compliance and the value it delivers, there are now plenty of real-life examples on why a data breach is something you absolutely want to avoid. In a recent Forbes article, Target is reportedly still reeling from the effects of the December 2013 data breach, slashing its second quarter earnings per share guidance from $0.85-$1.00 to $0.78, citing the data breach as well as debt retirement expenses as primary reasons. So far this breach has cost the company $148 million in losses and the event potentially impacted around 20% of the entire US population (70 million cards).

Large companies are not the only ones being targeted by hackers – more than 400 data breaches have been reported in 2014 alone, and that’s not counting undisclosed data breaches, or those who are unaware they’ve been hacked- only 33% of companies find out if they suffer a breach, and the ones that do figure it out take an average of 229 days to do so.

What are the PCI non-compliance fines?

If you have are not yet compliant or have not demonstrated an acceptable remediation plan towards becoming compliant soon, the fines levied by Visa via your bank are as follows.

Merchant Level 1

Merchant Level 2

Monthly Fine



Fines commence January 1 2015 for service providers and Level 1 / 2 merchants who are not compliant. Amounts shown are in USD.

In addition, Visa issues fines for Prohibited Data Storage (Track1 / Track2), which is the storage of sensitive full magnetic data.

Monthly Prohibited Data Storage Violation Fines (USD)


Merchant Level 1

Merchant Level 2

Months 1-3



Months 4-6



Months 7 and up



Why are there additional fines for Prohibited Data?

Under the PCI DSS, any form of Track1 or Track2 magnetic stripe data storage is prohibited, regardless of whether its encrypted or not. The reason for this is that if a hacker can steal this information, they immediately have the ability to reproduce the physical card, sign it and then use it for in-store shopping at physical shopfronts.

What region does this apply to?

This stricter enforcement is being rolled out globally, so it doesn’t matter where in the world you are- as long as you are a merchant under Visa, these rules apply to you, with no exceptions.

How can I avoid these fines?

As a first priority, you should become PCI compliant before this date. For many large merchants, this will involve engaging with a QSA to perform a PCI onsite review.

By communicating openly with your acquiring bank and establishing a comprehensive remediation plan ASAP which your bank must approve, you can delay the fines commencing on January 1 2015.

It is important to ensure any milestones within that plan are realistic as your bank will be required to monitor and ensure your milestones are being met on-time. This is symptomatic of what many of us in the industry see – PCI compliance having been around for 8+ years now however a large number organisations still working towards compliance and had no clear compliance date in sight.

I don’t know what to do. Who can I call?

If you’re looking for professional advice on becoming PCI compliant, the industry experts are PCI Qualified Security Assessors – QSAs. The PCI Council publishes a global list of Approved QSA’s who you can talk to and engage to assist you establish a solid PCI compliance remediation plan.

Can Ground Labs help?

Yes. Whilst we don’t provide consulting services like a QSA does, we make data discovery software which is relied upon by more than 300 QSA’s use as part of validating PCI compliance.

Our products include remediation features that eliminate or secure cardholder data storage. This is a critical step towards reducing your PCI compliance scope, and ultimately removing the opportunity for hackers to steal that data. Through reducing your PCI compliance scope, you reduce the amount of effort and complexity within your PCI Compliance remediation plan to avoid any PCI non-compliance fines or prohibited data storage fines mentioned above.

Take a free trial of Card Recon to see how you can find insecure cardholder data including prohibited data, and then use remediation features remove it to achieve your remediation plan.


Visa Business News

Target Corporate

Net Security

Image Source: