Recently I came across a case where a company had encouraged their clients to apply for their services via a written form, which included fields for credit card information to pay for those services. The clients were encouraged to return the forms via email in a PDF format. The company in question was undergoing a PCI DSS (Payment Card Industry Data Security Standard) assessment when the case came to light.
The company was focussed on the PCI DSS requirement and not the guidance or intent of the control. For example, requirement 4.2 states “Never send unprotected PANs by end-user messaging technologies (for example, email, instant messaging, SMS, chat, etc.)”. They were focussed on the word “send” and the cardholder data they requested was being “received” and not “sent” by them.
Without consulting the PCI Data Security Standard, critical thinking would have stopped such a scenario from developing.
The definition of “critical thinking” varies but the underlying concept is the same – “the objective analysis and evaluation of an issue in order to form a judgement”. In the case of the forms sent with cardholder data via email, critical thinking around the data flow would instantly tell you sending sensitive data via clear text emails needed further analysis. You wouldn’t need to know the PCI Data Security Standard to apply the right thought patterns to this scenario. For example most people know today that cardholder data is actively sought after by criminal elements and they are becoming more protective of that data.
Knowing that, a critical thinker may have thought twice about the wisdom of allowing sensitive data to be sent via clear text emails. Whilst they may have thought they were technically right in the eyes of the standard (and they were not) would those creating the process have been comfortable with transmitting their own sensitive data in that manner? If not, then how would they have liked their data protected and could they implement such solutions rather than taking the easy email route in order to sell services faster?
In this scenario critical thinking would also include researching the PCI Data Security Standard requirements further.
For example the “Guidance” on the same requirement mentioned above, 4.2, stated “if an entity requests PAN via end-user messaging technologies, the entity should provide a tool or method to protect these PANs using strong cryptography or render PANs unreadable before transmission.” In other words if you want the data via those means you need to ensure it’s secured before transmission.
A critical thinker may have thought about what else the PCI Security Standards Council (SSC) may have to say on the subject. A quick search of their website would have revealed an article (number 1310) titled “Are merchants allowed to request that cardholder data be provided over end-user messaging technologies?”. In that article they would have found guidance stating “if an end-user messaging technology is used to receive or send PAN, then that channel must be protected according to all applicable PCI DSS Requirements, including but not limited to Requirements 4.1 and 4.2. Additionally, the entity’s systems related to end-user technologies (e.g. e-mail servers) would be in-scope for PCI DSS.”
So, it’s clear that the company in question was non-compliant against requirement 4.2.
That ended up prompting change. However, sticking to the so-called letter of the requirement and not considering the guidance stated along with the requirement, or additional available information, created a gap in securing sensitive data. A significant one at that.
Sit too close to a television and all you will see is a blurred incomplete image. You need to take a step back to see the whole image. Critical thinking will help you see the whole process end to end, and in some cases, simple logic can help point you in the right direction to gain the understanding you need to make a considered judgment and decision.
In this case, focussing on the speed of service delivery, and key words in the standard, did not allow them to see the gaping hole in the security of the process.
When it comes to security and compliance, critical thinking is a necessity if cyber security teams are to keep pace with threat actors. I can almost guarantee your persistent threat actor is certainly applying critical thinking to getting past your defences and incident responses.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Brian Odian is the Director of Asia Pacific Global Compliance & Risk Services Consulting at SecureTrust, based in Sydney. He has over 32 years IT industry experience including roles as a Security Delivery Manager and Global Security and Transformation Lead for large worldwide information technology corporations. During his career he has been across a wide range of industries and roles, including global management experience across multiple cultures and business environments.
Experienced in running global security programs, and some of the largest regional projects in Asia Pacific, Brian brings a mix of project management, security and compliance credentials together (CISM, CRISC,PMP, QSA, ISO27001 IA) to achieve the best results in delivering security solutions and compliance programs. He has been published by the Project Management Institute (PMI) and MSSP Alert along with conducting webinars on the General Data Protection Regulation (GDPR) and Compliance Intelligence. He has also presented on PCI Compliance for some of the “big four” banks and the Customer Owned Banking Association (COBA).