Forensic Expertise Reveals Storage of Track Data

Document Sample
Forensic Expertise Reveals Storage of Track Data Powered By Docstoc
					Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState, LLC.
  Synopsis
This is a case study about a software company that develops payment applications that must meet a specific set of
requirements outlined in the Payment Application Data Security Standard (PA-DSS). The client challenge involves
determining what type of expertise the PA-QSA that performs the assessment possesses.




  Table of Contents
Client Challenge ...................................................................................................................................................... 3
Services Rendered................................................................................................................................................... 3
The Problem ............................................................................................................................................................ 3
Results & Lessons Learned ...................................................................................................................................... 3
Conclusion ............................................................................................................................................................... 3
Case Study: Forensic Expertise Reveals Storage of Track Data

Company: Retail

Client Challenge

Software companies that develop payment applications meeting a specific set of requirements are required to ensure
that their application is secure before it can be used in a merchant's environment. The set of requirements are outlined
in the Payment Application Data Security Standard (PA-DSS), and a Payment Application Qualified Security Assessor (PA-
QSA) must validate that the application is meeting those requirements. The client challenge, much like everything else
in consulting, is determining what type of expertise the PA-QSA that performs the assessment possesses.

Services Rendered

A PA-DSS Assessment is a technical validation of the payment application in scope. The PA-DSS is made up of 13
requirements and consists of everything from forensic analysis to ensuring that proper training documentation is
created for the payment application. Upon completion of the Assessment, a Report of Validation (RoV) is written and
submitted to the council for review.

The PA-QSA began work in March 2010. The application being validated was a previously validated PA-DSS application
but, because major changes were made to the application, a new PA-DSS review was required. Not satisfied with the
impersonal treatment from their current PA-QSA, the subject organization decided to engage another PA-QSA company
to perform the validation on the upgraded application.

The Problem

Through the forensic process, which is required for validation, it was discovered that track data was being stored on the
POS terminal. This is in direct violation of PA-DSS requirements. However, this is not an issue that was introduced by
the upgrade, but simply was not discovered during the previous PA-DSS validation. It came to light, through discussion
with the other PA-QSA company, that the consultant that had performed the Assessment had less than a year's worth of
forensic expertise at the time of the engagement.

Results and Lessons Learned

To comply with PA-DSS requirements, the software vendor was required to notify the Payment Card Industry Security
Standards Council (PCI SSC), and the validated application was removed from the list of validated PA-DSS applications.
All merchants using the antiquated validated application were required to perform an upgrade, which was very
challenging in this specific instance. The small software development company spent $50,000+ to clean up the mess
that was not caught by their former PA-QSA company.

Conclusion

It is at times very challenging for organizations to understand the level of expertise they are getting with outside
consultants and vendors. Most times, the larger consulting organizations will send in the more experienced personnel
to sell the engagement and then after the contract is signed, staff level or consultants are the ones actually performing
the assessment. Although this makes sense from an overall business perspective in regard to the consulting company,
obviously from the organization's perspective, the issue becomes clearer. Organizations should not be afraid to inquire
about the experience of the consultants actually performing the Assessment. In addition, contractual verbiage may
need to be put in place around experience requirements to ensure that liability may be able to be transferred in the
event of a circumstance such as the one mentioned above.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:16
posted:1/5/2012
language:
pages:4