Consumers enjoy a certain level of protection that business bank accounts do not, and it’s called “Regulation E.”

Here is Regulation E in black and white:

“ELECTRONIC FUND TRANSFERS (REGULATION E)

Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

1. Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

2. Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less.”

Businesses do not get this kind or protection. So when business accounts are compromised, they often have to fight for their money. And today, more than ever, they are losing. But banks are losing, too. The only winners here are the criminal hacking enterprises.

In order to meet the Federal Financial Institutions Examination Council’s compliance guidelines by January of 2012, banks must implement multiple layers of security. Called out in the recent FFIEC guidance was using complex device identification and moving to out-of-wallet questions. 

Financial institutions and their clients aren’t only losing millions to fraud; they are losing millions more fighting each other. It makes more sense for banks to beef up security (all while properly managing friction for legitimate customers) than to battle with their customers.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep cyber criminals out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360, which is used by leading financial institutions such as credit issuers and banks, to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Fox News. 

There are circumstances where companies could face some technical or business impediments preventing them from implementing the requirements as explicitly stated in the standard. Does this mean that these companies could never achieve and maintain compliance?

There is a common misconception that organizations must meet the requirements as they are written. This is not the case. The important thing is that the inherent security objectives behind each requirement are met. The PCIco and the Payment Brands provide some flexibility by allowing companies to pull a rabbit out of their hat. This rabbit is named "compensating controls": a very popular topic these days as more and more organizations look at it as a way to achieve compliance. But is this really the case?

A compensating control is a work-around for a security requirement. In other words: it’s another way to reach the objective sustained by a specific security requirement without satisfying the requirement itself. Understanding this requirement and its objective is therefore of the utmost importance in choosing and evaluating a compensating control. 

The reader could refer to “Navigating the PCI DSS” to get an understanding of the objective behind each requirement.

With the exception of requirement 3.2 – Do not store sensitive authentication data after authorization - any security objectives supported by the PCI DSS requirements can be met with compensating controls. 

There is, however, a caveat to the above statement. Companies must prove that the roadblock to implementing the requirement is temporary and due to "legitimate" technical or business constraints. The term “temporary” is important as the situation must be reviewed on an annual basis.

What does “legitimate” mean to the Council? It isn’t very explicit on this. Definitely the cost of implementation isn’t a legitimate constraint for them, but an application running on an old non-supported operating system (sustained by a migration roadmap) or the Christmas sale load delaying implementation are two examples of “acceptable” legitimate constraints provided by the Council at the 2011 PCI community meeting.

To potentially be considered valid, a compensating control must fulfill the same intent and objective of the requirement it’s supposed to replace, with the same or higher level of defense, and without introducing any other risks (border effects) or with any additional risks both minimized and documented.

So the root of the issue is whether or not the risk has been sufficiently addressed: the risk of not implementing the requirement, and the risk inherent to the selection of the compensating control.

Every compensating control must be supported by a risk analysis and must be documented as follows:

<!--[if !supportLists]-->1.     <!--[endif]-->What is the original objective that one tries to cover?

<!--[if !supportLists]-->2.     <!--[endif]-->What are the legitimate constraints preventing meeting the original requirement?

<!--[if !supportLists]-->3.     <!--[endif]-->What is the compensating control?

<!--[if !supportLists]-->4.     <!--[endif]-->What are the identified risks posed by the lack of original control or introduced by the implementation of the compensating control?

According to the standard, QSAs are the ones responsible for validating the compensating controls, at least for Level 1 merchants and service providers. There are no other validators than the acquirers themselves for all other merchant levels.

However, the majority of the QSAs are NOT in favor of compensating controls and would dissuade their customers from using them. According to them, compensating controls could reveal themselves to be much more costly and difficult to implement that the requirements they replace. The fact that QSAs must sign off the compensating controls is probably another reason for this reluctance. 

Additionally, there is no unification for the validation of the legitimate constraints and compensating controls among QSAs. A compensating control could be seen validated by one QSA while being rejected by another.

A central database of “historically accepted compensating controls and legitimate business or technical constraints” could be of some added value for the community.

My interviews with the Council, the Brands and the QSAs on that matter leads me to conclude that due to the stringent constraints imposed by the PCIco on the selection and use of compensating controls, combined with the QSAs reluctance to approve the use of compensating controls, and also the lack of unification, compensating controls should be considered more as a mirage than a magic trick.

<!--[if !supportLists]-->1.     <!--[endif]-->What is your experience in this field?

<!--[if !supportLists]-->2.     <!--[endif]-->Have you already made use of compensating controls?

<!--[if !supportLists]-->3.     <!--[endif]-->If yes was it easy to get validated?

<!--[if !supportLists]-->4.     <!--[endif]-->Would you be in favor of a publicly available database of compensating controls?

Navigating the PCI DSS

PCI Compliance dashboard

New companies with a market capitalization under USD 1 billion will now be able to opt-out of regulations within section 404 of the Sarbanes-Oxley (SOX) Act for the first ten years after going public. This option was previously available to companies under USD 75 million.

Congressman Ben Quayle introduced the Startup Expansion and Investment Act to, “make it easier for emerging companies to access the capital necessary to expand and create jobs”. Quayle noted that removing one of the many regulatory hurdles that inhibit companies from going public would lead to more economic growth.

“While I understand the delay in SOX compliance for smaller companies, I would encourage companies to prepare for SOX compliance in advance by reading the standards well and understanding the requirements,” said Roxana Santiago, Finance SOX Manager at Hospira, Inc., and a presenter at the upcoming marcus evans 22nd Edition SOX Compliance & Evolution to GRC Conference in Chicago, Illinois, November 15-16, 2011.

“The standards do offer some flexibility and allow the opportunity to focus only on high risk areas that would detect and prevent material misstatements. Understanding the process for establishing thresholds for materiality would give the company a basis for identifying risks and documenting controls in those areas. Putting these actions into practice prior to actual compliance requirements gives executives a head start.”

Minisa Becker Capozzoli, Senior Financial Analyst at Hospira, Inc. added: “The Standard proposes starting with the identification of the company’s risks that material misstatements will not be prevented or detected. A few categories of risk include complex accounting areas such as revenue recognition, tax and accounting estimates. In addition to these, companies need to assess other risks specific to their business, such as areas with highly manual intensive process, or poor systems support. Companies will need to look beyond the standard accounting risk categories and reflect upon their business, processes and systems to identify other financial risks.”

“One of the great benefits of the SOX Act is it forces companies to be more pro-active by designing up-front preventive controls,” Alan Bedwell, Senior Financial Analyst at Hospira, Inc. highlighted. “It also forces companies to re-think and re-visit processes and controls, identify areas with existing gaps or too many controls and streamline processes, thereby becoming more efficient and productive. It offers Senior Management more transparency to the Financial Statements and holds accounting and finance professionals accountable through controls certification procedures.”

Santiago added, “This is how companies reap the benefits of SOX programs and build integrity and accountability in internal financial reporting processes. Companies have always been required to have solid systems of internal financial reporting controls. The SOX Act simply forces companies to formally acknowledge this through documentation protocols.”

One challenge with SOX compliance is cost. There are many ways to keep costs down. One way is by not doing more than the standard requires, according to Santiago. Initially SOX compliance was time consuming and manually intensive because many were doing a lot more than they needed to.

“I would encourage small companies to focus on what is ‘truly’ needed and create the buy-in and awareness within the accounting and finance functions. While the external auditors will review management’s work and provide an independent opinion, they are not as close to the business and related risks as the company, and should be challenged where applicable,” Santiago concluded.

Roxana Santiago, Minisa Becker Capozzoli and Alan Bedwell of Hospira, Inc. will be co-presenting at the marcus evans 22nd Edition SOX Compliance & Evolution to GRC Conference in Chicago, Illinois, November 15-16, 2011.

For more information, please contact Michele Westergaard at 312-540-3000 ext. 6625 or This email address is being protected from spambots. You need JavaScript enabled to view it.. You can also visit the 22nd Edition SOX Compliance & Evolution to GRC website.

Criminals often target cash machines, as well as various other automated kiosks that dispense DVDs, tickets, or other merchandise. They have discovered numerous techniques for compromising these devices. According to the ATM Industry Association (ATMIA), ATM fraud alone results in over a billion dollars in losses each year.

But manufacturers are fighting back.

Diebold, a security systems corporation and the largest ATM manufacturer in the US, has developed a prototype for a “virtualized ATM.” The new machines will utilize cloud technology to enhance security, mitigate fraud, and improve operational efficiency, delivering an optimal consumer experience.

Unlike traditional ATMs, these new machines will contain no onboard computer. Instead, each individual terminal will be connected to a single, central server, which will provide resources to a fleet of cloud-based ATMs.

This advancement will give banks and ATM operators greater control over multiple machines. Servicing the new ATMs will be easier and more efficient, with more updates and less downtime.

For consumers, the most noticeable differences will be better service and security. Over time, the savings in operating cost can be put toward upgrades in card technologies, near field communication, and possibly even biometrics.

The emergence of cloud technologies will speed up the adoption of many new, more convenient and streamlined offerings. The future is here, and it’s fun!

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

Hackers and crackers and data breaches! Oh my! Confused? Overwhelmed? Don’t care? You should, and there’s help.

Few people are head first into gadgets, technology, the cloud and security as I. I have my devices, my wife’s, my kids, there’s Apple products, Microsoft Windows, smart phones, feature phones and tablets. It’s maddening.

Now instead of one PC per household, consumers are purchasing multiple devices . And with consumers able to access the digital world as easily from their smartphones and tablets as from their personal computer, PCs are no longer the main method of connecting to the Internet.

This wave of new devices and their ease of connectivity also means that consumers are now starting to think differently about their digital security.

Mobile Device Users

The threat of lost or stolen devices and the possibility of their personal information being used for fraudulent means a significant concern. In the United States 113 mobile phones are lost every minute  and more than half of smartphone users do not use any password protection to prevent unauthorized device access.

Mac UsersMac OS is not safe from viruses. As of late last year there were 5,000 malware versions targeting the Mac, a number that is growing by ten percent per month.

Child and Teen Users
Are your kids they being exposed to pornography? Will they be contacted by strangers through their social networking profiles?  Are they downloading age-appropriate music and movies? Having protection on the household PC is no longer enough. Parents need to know that their children are safe on all the devices they use, wherever they connect.

Solutions
It is here and called McAfee All Access. Before consumers had to look for and download a hodge podge of security software from numerous vendors with multiple “keys” to activate. What McAfee knew consumers wanted was an “all in one” solution that for once and for all provides a dashboard to manage all your devices from one place regardless of if it is a PC, smartphones, tablets, netbooks, or Mac.

Robert Siciliano is an Online Security Evangelist to McAfee. 

This blog is to respond to the attendee questions we didn't get to on today's roundtable: Aligning GRC Technology with your GRC Program. I have posted the questions below and our speakers will aim to respond (by comment) within 72 hours.

1. Is it reasonable to expect that very large organizations (e.g., AIG, Citigroup, other global companies) have a centralized GRC program, or is it acceptable to have more region-specific programs?
2. Jean-Marie, you talked earlier about multiple stakeholders and board level involvement.  At what point does the decision maker who will buy GRC technology or services actually interact with the Board?  Many of these buyers are far down in the organization, especially in IT GRC.
3. Chris, do you see a shift from development platform-like products to more off the shelf solutions, ones that do not require many months and large amounts of money to prepare and deploy.
4. Anindo, given that larger, broader grc implementations involve more and more stakeholders, how do you communicate the value proposition to so many different stakeholders?
5. Is there any benchmarking data availabale for cost of implementing a GRC platform and integrating to your organisation?
6. Most GRC projects start out with a business benefits case....is there any data about whether those benefits were actually realised and the ROI achieved?

The PCI Compliance Dashboard is a spreadsheet providing  a single view on all information you need to complete the PCI Compliance process without requiring to open multiple documents on the side.

In the last two weeks Verizon published their 2011 PCI Compliance Report and PCIco released the new version of the Validation instructions for QSA.

For the convenience of the community I integrated this useful information into the PCI Compliance Dashboard. So a new version is as of now on available with the following additional information:

• The major observations from the 2011 Verizon PCI Report for each of the 12 Requirements
• The detailed validation instructions for QSA/ISA extracted from the newly released ROQ QSA Reporting instruction for PCI DSS 2.0
• The list of merchant type.
• Additional links to PCI 30 seconds newsletters and other documents.

You like this tool and our initiative? 

Let us know it by leaving us a comment or suggestion on this page or the  PCI Compliance Dashboard page

Let us know it by cliking on the "I like it" icon on the PCI Compliance Dashboard page

 The PCI Compliance dashboard Spreadsheet

Didier