PCI SSC Asia Pacific Town Hall Meeting, Singapore 14 June 2012

On Thursday the 15th of June, the Payment Card Industry Security Standards Council (PCI SSC) travelled to Ground Labs’ hometown of Singapore and hosted the first Town Hall Community meeting in Asia.

The turnout was nothing short of impressive with over 200 delegates in attendance including a variety of major brands operating in the region and a notable delegation of QSAs including Stratica, Witham Laboratories, Vectra Corporation and Verizon Business flying across from Australia.

The agenda included a variety of PCI compliance updates and real-life insights for technical and non-technical audiences with presentations from Bob Russo (General Manager, PCI SSC), Troy Leach (CTO, PCI SSC), Ritchie Sim of the NSW Police Force in Australia and Johan Oman of Cybercom.

Bob Russo addressed the audience at various intervals throughout the day including a real-life story where Bob explained how he suffered a house break-in which would have been deemed “compliant” with physical security best practices using protective measures such as dead-bolted doors, an electronic alarm system, and a dog!

Yet Bob still managed to suffer an intruder break-in.

In Bob’s case, his state of “compliance” was falling short on the particular day the break-in

occurred due to 3 very simple problems – 1) The rear-door was not locked properly 2) The alarm system was setup in different zones and on this particular day, the room suffering the break-in was not being monitored 3) Bob’s dog had poor hearing!

This example described by Bob is identical to many organisations who believe they are PCI compliant due to all the boxes being ticked yet still suffer security breaches. Too often we all hear about poor (or no) network security monitoring, configuration changes to firewalls or internet facing systems and most importantly and cardholder data lying around in locations that are completely exposed without any form of protection or obfuscation (hence, cardholder data discovery is a hot topic).

Ritchie Sim of the NSW Police delivered a eye-opening presentation outlining details of a recent major crime bust which occurred in Australia.

We were requested to keep the details of the case confidential however at a general level the attack vectors used was POS skimming via a series of complex device modification techniques. The example went on to prove that criminals looking to commit cardholder data theft don’t necessarily have to be technical with almost any skillset is available for hire in the world. In this case the organisers paid up to $350,000 to fly-in an expert on POS devices to make the necessary modifications to remotely transmit customer cardholder data processed through the device. The police seized a large amount of compromised terminals and the offenders, primarily from other south-east Asian countries received lengthy jail sentences for their involvement.

Troy Leach, CTO of the PCI Council gave an update on the current Special Interest Group initiativeswhich also incorporated a separate presentation titled “The Bridge of Compliance” showing how various techniques and strategies can shorten and simplify an organisations compliance journey. Mohamed Zouine of Ground Labs UK Office was in attendance and asked Troy whilst on stage a question about the councils view of treating Cardholder Data Discovery as Requirement 0 – the first thing you should do before addressing any of the other PCI requirements. Troy confirmed internally the Council takes this view and agrees that once you know where all of the cardholder data is being stored across an environment, only then can you really begin addressing issues and implementing permanent solutions.

Bob Russo, Andy Freed and their dedicated team did an outstanding job of organising this landmarkevent which the region needed to promote the true benefits PCI compliance for organisations of any size. It is clear the council has many plans for the region given that many companies located in Asia are not under stringent mandates to become PCI Compliant therefore resulting in very low awareness of the standard. Most PCI compliance activities occurring within the region are driven by large multinational organisations where the standard is enforced upon all global business units. We hope after this event, this general attitude will start to improve and encourage local acquirers along with their connected PSP’s to take a more pro-active approach and promote PCI compliance across their merchant customer base.