Call 1-877-740-5028

Guide to Becoming PCI Compliant: Protect Cardholder Data

By Adam Goslin on August 30, 2010

Online Tech brings you a new series on PCI Compliance by Adam Goslin, Co-Founder of High Bit Security, a full service security company specializing in Payment Card Industry Data Security Standards Compliance and Penetration Testing. PCI compliance is important for all of our clients who hold and handle credit card information. The series will explain the six objectives of PCI DSS and how to maintain PCI compliance for your company. We hope that you find it useful and we welcome your feedback.

The next installment in this series covers the second principle of PCI DSS compliance – Protect Cardholder Data.

This principle literally sets the tone for your entire PCI DSS compliance effort scope. For those commencing with Payment Card Industry Data Security Standard compliance, your first objective should be to mitigate and preferably avoid the storage (in any form), receipt (in any form) and transmission (in any form) of cardholder data. Further, one should take steps to minimize the number of physical / logical devices within the cardholder data environment.

Of course, this begs the question “What is cardholder data?”. Cardholder data is comprised of the card number on the front of the card; the magnetic stripe data captured when the card is swiped and the security code (3-4 digit code also known as the card-verification code or value) imprinted on the reverse side of the physical card and the personal identification number (PIN).

Consultation with a firm experienced with the PCI DSS requirements is a critical step early in your compliance objective to minimize your scope and streamline your implementation. Minimization of both cardholder data stored, and the amount of time the data is stored (retention period) is key. The storage of sensitive authentication data after authorization is prohibited; this includes storage of: the magnetic stripe data, card-verification code or value (CVC / CVV), personal identification number (PIN).

Whenever the card number (also known as primary account number or PAN) is displayed, it must be masked. For ease, most organizations will display account numbers as XXXX-XXXX-XXXX-1234, and this requirement applies to any situation where the card number is displayed – physical or electronic.

Should the card number be stored, you’re required to render the card number unreadable (encrypted) when stored. There are several methods one can leverage to accomplish this goal, including encryption of each individual value, encryption of a column in the database, encryption of the file leveraged for storage or encryption of the entire disk. Selection of the encryption approach really depends on your particular situation, and should be considered carefully before making a snap decision as there may be ramifications that impact your application layer, middleware and encryption authentication requirements.

Any form of encryption that is needed as a result of having cardholder data stored will also require you to establish an encryption key management program that will be required to be included in your policies, limit number of locations of key storage, and limit the number of key custodians (people with access to any portion of the cryptographic keys). For the key management requirements of PCI DSS, there are several requirements from a process / policy perspective that need to be addressed and numerous possibilities for maintaining compliance.

Whenever transmission of cardholder data is required across an open, public network (the Internet) that transmission must leverage strong encryption and security protocols such as SSL / TLS or IPSEC. An example of SSL would be the electronic transmission of web based traffic, such as when you log into your web based banking interface and the URL is begins with HTTPS:// and the lock is showing on your web browser. An example of IPSEC could be a situation where your organization requires an encrypted tunnel from your firewall to the firewall of one of your customers.

There are numerous requirements for the deployment of wireless technology when that technology is transmitting cardholder data or connected to the cardholder data environment. Unless your implementation specifically requires wireless technology, there are numerous advantages to avoiding the implementation of wireless. However, if you do require wireless technology for your environment it would be strongly recommended to consult with an expert regarding your specific needs.

Lastly, your policies need to prohibit the unencrypted sending of cardholder data through end-user messaging technologies such as email, instant messaging, chat. Unless your business requires the encrypted transmission of cardholder data through such end-user messaging technologies, complexities of policies and procedures are streamlined by a business stance that indicates all transmission of cardholder data via end-user messaging is prohibited.

In the next blog posting, we will cover “Maintain a Vulnerability Management Program”.

Adam Goslin, Co-Founder, High Bit Security, LLC
Adam has an IT career that spans more than 15 years, recently leading the IT and Infrastructure teams of Osiris Innovations Group as the Vice-President of IT, including leading the company through achieving PCI DSS Compliance. Adam went on to found the full service security firm, High Bit Security, LLC., specializing in assisting companies looking to achieve Payment Card Industry Data Security Standards compliance; and cost effective Penetration Testing.

For more information about PCI compliance, you can email Adam at agoslin at highbitsecurity.com

    Add Comment

    Posted in | Tagged , , , , | Leave a response

    How a Metric-driven, Collaborative Company Culture Nurtures Great Customer Service

    By April Sage on August 26, 2010

    As one of the most recent additions to Online Tech, the differences in company culture from previous businesses remain fresh and notable. Coming from an agency background with a perspective across many industries and business models, it’s not been easy in Michigan to share a lot of good news. Companies have lost budgets, workers have lost colleagues, businesses have radically downsized or downright faded away. So at Online Tech, laughter was one notable difference. An increasing number of employees and meeting or exceeding quarterly targets another. A 3rd straight growth year? In Michigan?! Almost unheard of. It got the better of my curiosity going, that’s for sure.

    There’s a lot of quiet, heads down work here, but a strong and definable team spirit that sets the context for our individual efforts. For example, every day at 3:30 sharp, we all get together for a 10 minute huddle. It’s always met with good spirits, and always right to the point. Each department – finance, sales and marketing, operations, & product development – brings 3-4 metrics to the meeting. All stats are shared company wide – across headquarters, all data centers, reps and techs on the road – everyone. We’re all on the same team here, every day. We all know exactly where the #s stand – revenue, pipeline, losses, support tickets.

    Some of the metrics stand out more than others. Sure, the revenue and losses that translate directly to our overall profitability are key. But there are 2 metrics that make the entire company pause – all attention becomes riveted, and I’m not even sure people remember to breathe if these stats are anything other than “0”:
    1) number of outages that result in any customer down time
    2) number of tickets unanswered after 15 minutes or unresolved after 1 hour

    Everyone in the company knows that as a data center provider, these two metrics are the lifeblood of our business. If we can’t stand behind our promise to be “Always On”, all other metrics will falter.

    Every company responds to their customers. But how many have proactive, daily measuring and sharing of those metrics across the entire company? Instead of a harried response to emergencies, we find ourselves more often making process improvements that will further decrease the number of trouble tickets, our response time to them, and give our clients better visibility and access to the status and performance of their services and devices – before problems cause downtime. Instead of resentful frustration, we enjoy a steady stream of raves and enthusiastic testimonials and referrals – which makes daily life enjoyable for all of us. Remember that laughter differentiator?

    Does it really make a difference to the bottom line? Our average length of contract has extended by several months in the past year. Our customer retention is higher. Our bottom line has increased 30% over the last year, our 3rd straight year of growth during some of the toughest times Michigan has faced.

    Try it out. Choose the top 10 indicators of success in your job, department, or company. Take 5 minutes to measure them every day and share the metrics with everyone involved. See where you stand in a month, 3 months, 6 months. Maybe you’ll have more to laugh about and less to stress about.

      Add Comment

      Posted in | Tagged , , | Leave a response

      Gartner on Public & Private Cloud Computing

      By Mike Klein on August 25, 2010

      According to Tom Bittman, vice president at Gartner, IT managers are more concerned with security and privacy than they are with the next three public cloud problems combined.

      In a separate poll on public cloud computing versus private cloud computing, 75% of IT managers said that they will be deploying a private cloud strategy by 2012 and 75% will invest more in private clouds than in public clouds through in the next 2 years.

      Gartner believes that the investment in private cloud computing will outweigh the investment in public cloud computing for the next several year.  I agree – the obstacles of network and data security, performance and compliance issues means private clouds win – at least in the foreseeable future – when it comes to corporate IT deployment.

        Add Comment

        Posted in | Tagged , , , , , | Leave a response

        Microsoft’s Cloud Strategy: Where do you fit in?

        By Bill Ryan on August 24, 2010

        In the 5/3/10 InformationWeek article “Microsoft’s Cloud Plan: What’s In It For You?” by Chris Murphy, he says that Microsoft is all in. The article suggests they are actually trying to help people do what they really will need to do for the modern time.

        I guess if you are a complete Microsoft shop there might just be something in it for you. However, if you are like most companies not all your apps are Microsoft based, how does that play into Microsoft’s Cloud strategy?

        The article also suggests that Exchange Online and Sharepoint Online have been Microsoft’s leading SaaS offerings through its business productivity online suite (BPOS). But again, what if you’re not a Microsoft fan or have a business that doesn’t need Microsoft based applications?

        Perhaps a private cloud is better suited for these companies? Is Microsoft headed down a path of least resistance or is the hassle not just not worth it?

          Add Comment

          Posted in , | Tagged , , | Leave a response

          Why We Use Enterprise Drives in our Managed Servers & Private Cloud Servers

          By Mike Klein on August 20, 2010

          Many low end dedicated servers on the market are desktop computers that are stacked on metal shelves or put on roll-able baker’s racks and sold as dedicated “servers”.

          At Online Tech, desktop computers aren’t what our clients are looking for in a managed server.  Our clients need managed servers with 24×7 reliability to run their customer-facing systems and internal IT infrastructure.  Running those systems on desktop computers doesn’t provide the reliability that our clients demand.

          The same is true when it comes to the type of hard drives that we deploy in our managed servers and private cloud servers.  By deploying enterprise drives instead of lower cost deskstop drives in our servers, we are able to deliver a higher level of uptime and error correction that isn’t available with desktop hard drives.

          Desktop drives are designed for 5×8 service – or a typical 40 hours a week work cycle.  Enterprise drives on the other hand are designed for servers running in a 7×24 environment – 168 hours per week with a far heavier data demand than most desktops see.

          eAegis has a great article on the difference between Enterprise HDD and Desktop HDD.  In a nutshell, here are the driving differences between the enterprise hard drive and a desktop drive:

          1)      Faster Error Recovery Time – Enterprise drives automatically detect read/write errors and report them to the RAID controller for corrective action which the RAID controller can issue without taking the drive offline.  Desktop drives are built for the assumption that no RAID controller exists and tries to recover the data without informing the RAID controller.  Ina server, the RAID controller sees the drive as being non-responsive and takes it offline to be rebuilt. If the second drive fails during this time, a catastrophic loss of data can occur.

          2)      Rotational Vibration Tolerance – With racks of servers with multiple drives, the rotational vibration within a rack can multiple far above what is seen in normal desktop operation.  Enterprise drives are designed to run in high density, multi-server environment without performance degradation or data loss.

          3)      Error Correction and Data Integrity - Enterprise class drives use ECC for data passing through drive memory and may use additional error detection methods for data transmitted within the drive electronics. Data that is transmitted from one end of the drive to the other with this system would be accompanied by some type of parity or checksum at every stage. Desktop drives have error detection, but do not support end-to-end data protection that the Enterprise class drives implement, leaving the drives more susceptible to data loss.

          We believe that success in the managed server and private cloud market is measured in uptime, service and customer satisfaction.  Enterprise drives are more expensive to deploy, but provide a better customer experience with a lower risk for failure.

          That’s why we deploy enterprise drives in our managed servers and private cloud servers.

            Add Comment

            Posted in , , | Tagged , , , , , , | Leave a response

            Chronicles of a Techie: Firewall Documentation

            By Ryan Gunther on August 17, 2010

            A new series from Online Tech, “Chronicles of a Techie,” aims to show common problems facing IT technicians and how to solve them. This first edition focuses on firewall documentation.

            Techie A runs up to Techie B “Hey Techie A, our Boss Mr. Smith is upset. He just found out we have FTP opened up from anywhere to our Server and wants to know why. Do you have any idea?”

            Techie B thinks about it for a minute. “I didn’t tell anyone to open up that port. You know what? We have Online Tech manage our firewall. I bet they know.”

            Techie A runs off to his cubicle and called 734-213-2020 and hits option 3. The phone only rings once before he hears someone answer.

            OT Engineer A “Hello, Online Tech support how may we help you.”

            Techie A “Hi, this is Techie A from Acme Corp. I just found out we have a firewall rule for FTP opened up from anywhere to our Server A. Do you know why?”

            OT Engineer A “Give me one moment to look over your tickets.”

            Techie A hears some typing over the phone, click click.

            OT Engineer A “Ahhhh, I see Mr. Smith opened up a ticket on 5/27/2010 asking for FTP opened up from anywhere to Server A. He said he would open a ticket up to close down that port as soon as testing was completed. Would you like me to make a ticket to have that port closed for you?”

            Techie A “Please, my secret code is ****” twenty minutes later he receives an email from OT Engineer B “Thank you for using Online Tech, your firewall rule request has been completed. Thanks OT Engineer B.

            At Online Tech we document every change request that is made on a shared firewall or a managed firewall. We document who opened the ticket, when it was done and the exact commands we put into the network device to complete the request. All of these tickets are available to you to review when you log into https://customer.onlinetech.com or call support at 734.213.2020 ext 3.

              Add Comment

              Posted in | Tagged , , , | Leave a response

              Private Clouds Win

              By Mike Klein on August 12, 2010

              According to Yankee Group’s recent  survey on Cloud Computing,  more enterprises are considering cloud computing a viable technology. Nearly 60 percent see the technology as an enabler, compared to just 37 percent a year ago.

              Even more interesting, the Yankee Group found that private cloud computing is preferred 2:1 over fully managed public cloud solutions.   67% of respondents preferred the private cloud, whereas only 28% preferred a fully managed public cloud, 21% preferred an unmanaged public cloud, and 8% were looking to a hybrid cloud solution.

              The private cloud addresses key enterprise concerns with the public cloud deployments:

              • Network and Data Security
              • Performance
              • Lack of IT control to manage the environment
              • Compliance Risks

              Public clouds are useful in deploying development systems and public facing systems with non-corporate data.  When it comes to deploying corporate systems in the cloud, the private cloud seems to have the edge in both the confidence of IT managers as well as solving the key issues inherent to corporate IT deployments.

                Add Comment

                Posted in | Tagged , , | Leave a response

                Can Your IT Department Survive: “No Word on When Power Will be Restored?”

                By Bill Ryan on August 10, 2010

                In a recent ClickOnDetroit.com article entitled “Community Alert: 3,500 Without Power In Southfield” they explain how a simple outage can lead to the dreaded conclusion of “No word on when power will be restored.” It just continues to demonstrate that if you still have your production Information Technology equipment in an unprotected environment, your are at risk to a indefinite outage.

                Ask yourself, what happens if there is a prolonged outage? How many dollars of production are lost? Can my organization afford that?

                If you can’t afford to be down this summer during all the construction and power failures, perhaps you should look outside at a fully managed data center that has the redundant infastructure to keep you online even in the most dire situations.

                  Add Comment

                  Posted in , | Tagged , , , | Leave a response

                  How to Extend a T1 from an ADC Telecommunications Panel

                  By Noah Wolff on August 9, 2010

                  To extend a T1 from the wire wrap panel, connect your extend wiring as follows:
                  Pin 1 – EMPTY (tracer lamp)
                  Pin 2 – White/orange
                  Pin 3 – orange
                  Pin 4 – Blue
                  Pin 5 – white/blue

                  Tip is the ground side (positive) and Ring is the battery (negative) side of a phone circuit

                  Extend a T1

                  *TL means tracer lamp

                  These colors wrapped onto these pins assumes you’re using an RJ45 connector with TIA 568B pinout at the other end, the end plugging into the WIC card on the T1 router. A common mistake is to assume “T” and “R” means transmit and receive. They mean tip and ring.

                  T1 pinout is 1, 2, 4, 5.
                  Pin 1 – RX, Ring, negative
                  Pin 2 – RX, Tip, positive
                  Pin 4 – TX, Ring, negative
                  Pin 5 – TX, Tip, positive

                  Pins 3 and 6 can be employed for grounding if necessary. Typically, unnecessary.

                  Rule of thumb: always cross-connect from OUT to IN and IN to OUT. Pin 1 on the ADC panel is transmit, but it turns into receive for pin 1 of the RJ45 connector. Follow the diagram above and you’ll be fine.

                    Add Comment

                    Posted in | Tagged , , , | Leave a response

                    Cloud Computing: Your Company’s Game Changer?

                    By Bill Ryan on August 5, 2010

                    In the April 19th edition of NETWORKWORLD there is an article entitled “Cloud Computing is the big story at Interop Las Vegas”. The article written by Brad Reed states ”Clearly cloud computing is a game changer and it’s one technology that we think people should know about”.

                    We at Online Tech feel the same way.  Whether you currently have a data center or not and are thinking  about cloud computing  for your organization, the private cloud could bring your business into the next generation of IT.

                    Ask yourself, do I know enough about cloud computing ? Could it be THE game changer everyone says it will be for your organization?

                      Add Comment

                      Posted in | Tagged , , | Leave a response

                      Next »