7Security welcomes a new Qualified Security Assessor

At 7Security, we believe every success should be celebrated – from completing yet another successful project or hearing good news from our clients… to, in this case, having the pleasure of calling one of our colleagues a Qualified Security Assessor for the first time!

Yasen Georgiev, who joined us earlier this year as Information Security Auditor, recently added the QSA title under his belt, and we cannot be happier for him. Yasen is now officially part of our QSA team and will be working closely with fintechs, helping them maintain their PCI DSS compliance.

PCI DSS is a unique standard’, shared Yasen, ‘it’s not fully technical; there are many controls related to people – the way employees implement and follow their security policies. I find the human factor here very intriguing. What also thrills me is not just assessing a company’s compliance with the standard but seeing various architectures and solutions in the process. I especially enjoy the consulting part of my role – sharing my know-how and providing support where needed. It’s great to offer the client an angle they haven’t thought about that ends up saving them costs and effort in managing their PCI environment. It’s my personal contribution to the fintech industry.’

‘I can’t say becoming a QSA was an easy journey’, added Yasen, ‘It had its challenges, but throughout the whole process, I felt supported by my colleagues at 7Security, and I learned a lot from them and the PCI Council training. At 7Security, we are adept in cloud technologies and the ways they simplify compliance, especially for startups who are going through their first PCI DSS. I feel lucky to be working next to people with such vast experience and interests in modern cloud solutions. Here, I can put my skills to good use, but I am also challenged daily to learn and grow.’

We wish Yasen many exciting projects. We are confident we will have plenty of occasions to share more success stories about him in the future.

Protecting Telephone-Based Payment Card Data

For those businesses that deal with card data through mail order/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, The PCI Security Standards Council has come up with an update to the Information Supplement: Protecting Telephone-Based Payment Card Data in order to help these businesses secure card data in a manner that is consistent with PCI DSS.

This update emerges after over seven and a half years since the original document came into play in March 2011. It is definitely an improvement on the progenitor, inasmuch as it provides detail where said progenitor didn’t. And rightly so. Although, technically speaking, not much has changed and VoIP still runs over UDP, these days we are witnessing a new, tighter integration of these systems with everything else. Including but not limited to CRMs, billing, mailing, customer reward schemes, customer behavior tracking systems, etc.

WHY DOES IT MATTER?

It matters because these systems may have some sort of access to card data. Or, simply because when PCI DSS says your VoIP is in scope, you need to look at all these other systems that are connected to the network or can impact the security of the CDE, scratch your head, and think of magic words, such as “segmentation”.

HOW IS VoIP A CHANNEL FOR ATTACK VECTORS?

Well, it is an unlikely channel, or rather, not overtly popular yet, but a channel nevertheless. UDP provides a nice stateless connection that can be (and is) used to disguise malicious code in streaming sessions. The reason we don’t hear much about these types of attacks is they probably just haven’t gained speed yet, or even worse, businesses are simply not aware they are happening.

Telephone systems touching card data have always been required to be in the scope of PCI DSS. Up until now, they have largely been neglected or avoided altogether.  In light of all we said so far, it is evident this needs to change. There are a number of pointers in the guide that are prone to raise an eyebrow, seemingly because they would ask the business to bear the brunt of some more stringent and resource-consuming alterations to technology, people, and process in their organizations.

Yet, with telephony systems in scope of PCI DSS, now more than ever, and the new detail provided in the November 2018 release of Supplement, owners and QSAs alike are faced with the need to come up with clever and doable ways to segment their VoIP systems, where possible, so they comply with PCI DSS without it costing them an arm and a leg.