The Payment Card Industry (PCI) Standards Council (https://www.pcisecuritystandards.org/index.shtml) has published the latest version of its security requirements for card-based transactions. Updated standards have been published for Point of Sale (PoS) devices.
Directly from the PCI Security Council:
Until now there were three separate sets of requirements for Point of Sale PIN Entry Devices (PED), Encrypting PIN Pads (EPP), and Unattended Payment Terminals (UPT). Version 3.0 simplifies the testing process and eliminates overlap of documentation by providing one modular security evaluation program for all terminals and a single reference listing of approved products.
So instead of having three relatively similar sets of requirements, there is one overarching requirement…. Does that mean that we’ve played to the lowest common denominator? I don’t think so. Looking at the requirements it looks like there are strong requirements with secure reading and data exchange for devices. While this doesn’t seem to be a huge stretch for PED (PIN Entry Devices) and UPT (Unattended Payment Devices) devices, it may be more than most are used to for EPP (Encrypting PIN Pads).
The real changes are centered around the new modules of evaluation criteria.
The first, entitled, Open Protocols, applies to Internet Protocol (IP) or to wireless enabled devices. The Secure Reading and Exchange of Data (SRED) module facilitates testing of the secure reading and encryption of cardholder data at the point of entry, and the third module, Integration, is designed to address the integration of components in an unattended POS PIN acceptance device.
The Secure Reading and Exchanger of Data module seems to directly address the issues we saw come from the Heartland breech. Encrypting from the endpoint can help to lessen the exposures that allowed the Heartland data to be stolen.
The Integration Module should provide a standard of how processors can attach to and interact with the device as well as the Open Protocol finally calling out some wireless standards.
This is targeted directly at devices that are built for payment cards, so it’s likely we’ll see similar additions/changes to the PCI DSS standard that is similar or supports these.
In presentations I give on security, I have become accustomed to a pattern of presenting the information. Step one, pose questions or situations that allow your audience to immediately identify with you or the subject. Step two, provide case studies or scenarios that provide examples to support the subject. Step three, give the audience some actionable items.
This article is all about supporting step three. If I’ve done a good job of getting a person to identify with the subject and provided a reasonable explanation of the information, the reader/listener usually focuses in on the action items.
In this case, I wanted to provided supporting information to the Does My Cell Phone Have a Virus article. Also this seems very timely with the recent loss of the next generation iPhone at The Gourmet Haus Staudt in Redwood City, California. While I’m certain Apple has many more policies for device management, nevermind the policies around having a prerelease device, if Gray Powell had simply followed the first recommendation below, things would be much different…
But I digress… Most all the offline questions I have received from my last article have had a common theme:
- I did this, did I get a virus?
- My insert_model_phone_name_here is acting funny what do I do?
- I installed this app, is it legit?
Trying to address issues at that level and point is the “whack-a-mole” approach you want to avoid. You want to put preventative measures in place so that these concerns should be minimized.
You will find a number of lists like this on the Internet, but this is my take on steps to take to safeguard your information on your mobile device:
- Loss is your biggest risk, don’t lose your phone. Your cell phone can have the equivalent information as your birth certificate, bank statements, and diary all in one location. Maintaining physical control of the device is the best thing you can do to avoid losing your information.
- Make sure you use a password (or PIN if that’s what your phone supports) to lock out the device. This is the single biggest thing that users complain about the inconvenience of. If anyone were to pick up your device, do not leave it wide open for anyone to read. Protect it.
- If your device offers encryption of the device and any removable media, use it. If you lose a device, the average person who picks it up will not likely have the ability to pull memory chips and decrypt your information. Make it difficult for someone to get the data.
- Just because you can download hundreds of applications, does not mean you should. Be aware that many free applications are made to get personal information from you (again see my other post on this). Others may actually be malicious.
- When downloading applications, be especially careful of banking applications. Only download them from trusted sources. If you can download directly from the bank, that is your best option. If you download from an app store, read the reviews and make sure you are one of the first 10 people to download something.
- Only use Bluetooth if you absolutely require it. If you use Bluetooth, enable a PIN for pairing devices and do not leave your device discoverable.
- If your device supports WiFi, only connect to secure and trusted networks. A network called “FreeWiFi” usually is not the best option.
- Limit the amount of data you store on your phone. If you are working on things like tax documents or have personal information on the device, only leave it on the phone while you need it. Limiting the amount of data on the device limits your risk if the device is lost or stolen.
- From a financial liability standpoint, inquire about cell phone insurance from your provider. In a day where cell phones can initially cost $300 and cost $500 to $600 to replace, it may be worth the couple of dollars a month insurance to be able to replace it.
- If your provider offers the ability to remotely manage or wipe a mobile device, know how this works and be prepared to use it in case your device is lost. If you remove all the data, you can limit your loss to just the device itself.
- Inquire with your provider and check with device manufacturer for device patches and upgrades. Much like your PC, smartphone software is updated on an ongoing basis to fix functionality and increase security.
- If your device supports third party security applications (usually Windows Mobile, Symbian, or Palm devices) look to manufacturers like Symantec and McAfee for firewall, anti-virus and SPAM prevention software.
Some of these are configurations you can do on your phone while the others are things you need to know to modify your behavior while using your phone. If you follow these steps, chances are you should be okay. In the rare case you loose your phone (ahem… next generation iPhone in a bar) and it happens to get picked up by an extremely technical user who can tear it down (Gizmodo) know that all bets may be off. But for the average person, you’re going to be okay.