pcistuff

So What? Does the Hannaford breach infer PCI is a waste?

2008-06-02T07:28:00.000-07:00

This question has been on my mind for a few weeks, and I wanted to stir the pot a bit.

Hannaford was PCI compliant at the time of the breach, so what does this really mean?

Should a company spend millions up front, when it was documented that even though they were compliant, they had to spend millions more after the fact?

What does that say about the standard itself?

What fines are going to be handed out? Is proving PCI Compliance the 'Get out of Jail Free' card and so no fines will be doled out?

If I am a company, and have followed this one, why spend the money on getting PCI compliant when it appears that even if I am, the only downside is no fines. And if the fines are less than the remediation PLUS the compliance process, what's the value to me as a business of getting compliant, vs taking out an insurance policy for $300/record at risk?

Thoughts?

pcistuff @ gmail.com

Ouch - Mastercard and TJX to Settle

2008-04-02T12:19:00.000-07:00

I just read this article from the Boston Globe where they are reporting a $24M settlement between Mastercard and TJX. Ouch!

Framingham retailer TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year.

TJX, parent of discount retain chains including TJ Maxx and Marshalls, struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach.

TJX said the MasterCard settlement will be valid only if accepted by banks that issued 90 percent of the cards with fraud claims following the breach, which affected as many as 100 million card numbers, a record. In exchange banks would agree not to sue TJX or institutions that processed the charges at its stores.

The deal helps TJX wind down the episode, though it still faces court claims and just last week was criticized by the Federal Trade Commission over past security practices.

In a statement, TJX chief executive Carol Meyrowitz said: “We believe this settlement agreement provides a fair resolution for MasterCard and its issuing banks and look forward to a high level of issuer acceptance. Providing a secure shopping environment for our customers remains a priority for TJX. Beyond the many millions of dollars we have spent to add significant security to our computer system, we are installing security measures which exceed those of many other retailers and current industry requirements.”
(By Ross Kerber, Globe staff)

Hannaford you f-ing boneheads!

2008-03-20T12:55:00.000-07:00

So this one hits close to home for me since I frequent Hannaford Brothers 2-3 times per week. It also hits even further close to home because I have contacted their CIO, CFO, and several folks in their IT group offering help for the past two years.

Why?

It is in my best interest to protect my information with the companies I do business with and especially those companies in my backyard.

Mr. Ron Hodge here is my list of people that I have contacted in the past two years to prevent this from happening. I will also tell you that this whole issue could have been prevented for under $200,000:

Bill Homa - CIO
Jeff Reeder - CFO
Kevin Carleton - Director of Retail Operations
Tricia Gilbert - IS Auditor
John McFarland - Enterprise Systems Team Lead

Add to this list past folks who either had the sense to leave before the sh*t hit the fan, or to bail before they were held accountable by some loudmouth like me:

Paul Fritzson - CFO
David Fournier - IT Security Specialist

If anyone from Hannaford Brothers reads this, please get back to me. I am still in a position to help, and I will wait for the phone call from Lifelock to see if the 1800 cases of fraud will include me soon.

identitystuff@gmail.com

Buzzword a.k.a. Bullsh*t Bingo

2008-02-13T10:15:00.000-08:00

I have been a recipient of some very creative e-spin lately. What is E Spin?

It's another form of how many new buzzwords can I jam into an email to see if someone is interested in something I have. The latest one was keying in on compliance and virtualization. What is it about a virtual machine and access to it that requires a new way to audit it? It still has an OS and if you're in a SAS-70 physically secured facility then you won't have undocumented acceess to the physical blades/instances anyway.

Some other cool buzzword E spin ideas:

How Green is your Virtual Compliance project?
How carbon neutral is PCI Compliance?
Haven't you virtualized your green compliance initiative?

What are your E-spins?

NRF Show - See You There!!!

2008-01-11T07:17:00.000-08:00

I will be headed to Manhattan this weekend to attend the NRF show at the Javits Center in NYC. I will be in booth #1475 talking about things PCI. Please stop by when/if you can. I always enjoy meeting folks who read my PCIStuff Blog, My Identitystuff blog or my virtualizationstuff blog.

Teeth or Gums? Which is Which for the Consumer?

2007-12-21T06:07:00.000-08:00

I just read this article in the Boston Globe this morning, and a smirk crossed my mind in that it proves a widely held theory I share with my friends in this space that Identity Theft and a massive breach is simply the cost of doing business. Unbeleiveable. Or is It?

With services out there like Lifelock and the fact that the company who f'ed up covering the cost of monitoring, what's $100/year for their services or free for monitoring. You'll save at least that much shopping at TJX companies or the mom and pop shop with no overhead, and no security in place... Right?

http://www.boston.com/business/articles/2007/12/21/for_tjx_a_store_of_consumer_loyalty/

Consumers don't stay angry in the face of a good deal.

That's a lesson emerging from the data breach at TJX Cos., the Framingham retailer that a year ago discovered an intrusion into its computer security that compromised as many as 100 million payment-card accounts. While the episode led to lawsuits from banks and many complaints, sales at TJX stores such as TJ Maxx and Marshalls have risen steadily this year.

Customers like Florida businesswoman Hanna Lipman help explain why. In April, Visa canceled one of Lipman's credit cards, saying it was compromised in the breach. By then, she had stopped going to the TJ Maxx store in Boca Raton.

But now, Lipman said, she is back to spending about $100 a month at the store, on pocketbooks and other items. She expects TJX will be extra-cautious about protecting her information.

"They got nailed from so many banks, I have to believe whatever can be done they have done," Lipman said.

Another customer whose card was canceled, Phil Dunkelberger, said he still shops at a TJ Maxx store in California, but pays by cash or check to reduce his risk of data theft. "I think they're much safer than other vendors who haven't had a breach and gone through the pain," he said.

My New Blog Launched

2007-12-20T06:58:00.000-08:00

I have decided to start a third blog to cover yet another hot topic in IT - Virtualization, over at my new Blog - Virtualization Stuff.

Enjoy!

Is PCI a Scam?

2007-12-18T06:06:00.000-08:00

I had to ask myself this question after two years working with clients to help solve their PCI issues and seeing only a handful of fines being handed out to the poster children of a breach. Here is why I pose the question...

If I am an issuer of cards, why is it good business to bite the hand that feeds me in levying fines against those organizations who provide me revenue? Is the revenue that gets generated more fraudulent than legitimate so it is in my best interest to shut down the source of the fraud? If there was that much fraud because of the identity theft that is associated with fraud, isn't there anything else that the issuaing card companies can do besides hand out fines. It just seems like it is adding insult to injury.

If I am a level 2, 3, or 4 merchant, and I look at what it will cost me to get compliant both in terms of technology and access to expertise to implement a solution, why wouldn't I roll the dice and wait to be shut down, especially if the cost of compliance puts me out of business? I will say for the record that the level 2,3, and 4 merchants are the most at risk for a breach because of their restricted access to capital and expertise and that ability to pay for it, so they are in a no-win situation, are they not?

If I look at what the core of the issue is, it is the databases used to store data. So why not lock down, encrypt, and render virtually inaccessible the records in said databases and leave it at that? Why not simply say that IF you store data (not a great idea but I know organizations do it), be sure it is encrypted all the way down to the cell level. It won't matter if I can get access to the database and copy it since it will be rendered useless unless I have access to some serious computing power.

Can't the card companies incent Oracle, Microsoft, etc. to ship the encryption with their databases out of the box to make this happen?

PCI e-Symposium from the ISSA

2007-12-10T06:54:00.000-08:00

I sat in on a call with the ISSA and I wanted to get some additional data out there for those of us working to figure out PCI Compliance. Enjoy!

Links:

My Personal Resources

Mark

Ouch!!! TJX Bank gets Whacked

2007-10-29T05:45:00.000-07:00

This was what we've all been waiting for (ok maybe it's just most of us) - how the Ecosystem of a Breach affected by said breach?

In this case the Bank was hit with an $880,000 fine, $500,000 of which was the 'You knuckleheads' portion, and the other $380,000 went to the 'WTF are you serious, you can't be that stupid?' portion IMHO.

I wonder if anyone has contacted Bob West who was at Fifth Third and responsible for Security prior to the breach and then left to start Echelon One consulting. Scott Blake is another guy I know over there from Liberty Mutual Insurance and was formerly their CISO so hopefully this experience has given them something to research and help others with.

Stay tuned for more coverage...

By Ross Kerber, Globe Staff | October 29, 2007

Visa USA issued $880,000 in penalties against a bank that processed transactions for TJX Cos., after an investigation of a computer hacking incident at the retailer.

The figure is described in court filings that recently have painted a clearer picture of the consequences for TJX of Framingham after its data network was breached by an unknown intruder operating through last year.

TJX, the parent of such stores as TJ Maxx and Marshalls, faces claims from banks that reissued cards in the wake of the breach that it failed to maintain adequate computer security.

At the same time, TJX struck back in its own recent filing, denying the main allegations and faulting banks for failing to press for tougher card-security standards, mirroring complaints by other retailers.

"The compromise presents a substantial risk to Visa and its members," states a June 22 letter from Visa, marked "highly confidential." The letter, now an exhibit in the case, is signed by a vice president of Visa, the biggest payment card network, and written to Fifth Third Bank in Cincinnati, which is also being sued. Both the letter and the TJX response were made public late Friday on the electronic docket system for Federal District Court in Boston.

In another filing the same day, a Visa security official stated the incident amounted to "the largest data breach in the payment card industry," at least double the size of any in the past. Last week a filing put the number of affected accounts at more than 94 million, according to card networks, twice the figure of at least 45.7 million TJX had given in the past. Ninety-five percent of those numbers had expired by the time the breach was discovered late last year, TJX has said.

A Visa spokesman yesterday said he could n't immediately comment. A spokesman for Fifth Third did not return messages yesterday afternoon.

TJX spokeswoman Sherry Lang said the fines are being appealed and noted TJX's own filing on Friday that denies wrongdoing. Among other things, it states that the plaintiffs themselves were at fault because as members of the Visa and MasterCard networks they failed to press them to implement security measures such as computer chips and personal identification numbers to reduce fraud. Any losses would be offset by credit card profits, the filing states. It also notes a judge has dismissed a negligence claim in the case.

Card companies have struggled to increase the focus on security standards among banks and merchants.

On Friday, Lang said the company now complies with the data security standards.

Visa can levy fines when merchants don't meet the rules, but they generally are imposed on the banks that process transactions. Fifth Third could potentially pass the fine onto TJX.

According to the Visa official's letter, the investigation found Fifth Third itself wasn't following certain security rules that the bank and its merchants must meet.

The fine was determined in two parts. First, Visa assessed what it called an "egregious fine" of $500,000, "due to the seriousness of this security incident and the impact on the Visa system."

In addition, Visa levied fines totaling $380,000, retroactive to October 2006, for what it called "TJX's failure to cease storing prohibited data" by Sept. 30, 2006. This apparently is a reference to stored customer credit card numbers that were later compromised in the intrusion.

Ross Kerber can be reached at kerber@globe.com.

PCI Compliance as a Service

2007-08-29T08:35:00.000-07:00

I recently came back to work at one of my former stomping grounds to develop and implement a PCI Compliance as a service to support our existing E Commerce customers and to assemble the components to offer PCI Compliance as a service to new customers, focusing on Level 2, Level 3, and Level 4 organizations.

The offering is two phases:

PCI Readiness audit

Because I am not a QSA, I will come in and perform a 5 day audit of your existing systems and report the results back to you. Only you. From this activity will come a full tactical remediation plan that can be implemented in your data centers or mine (I have 16 around the world). In many cases in 30 days or less, before you incur another monthly fine.

Remediation

The Tactical Remediation Plan (TRP) outlines a project plan, based on current state and identified gaps, that gets implemented in one of two ways – on your premises or mine.

The execution on your premises is the same as what I have done in ours – which is to deploy a set of technologies to support a fully audited and proactively enforced process and enviroment. I have a relationship with QSAs who know what I can deliver and will certify the solution and the environment at the end of the deployment.

The components of the solution will require an investment of hardware, software, and services to provide knowledge transfer at the low end to full remote management, Executive dashboards for real time reporting, and other complimentary services you can choose based on resource expertise and availability.

The second option is to spin up an environment in one of my SAS-70 Type II data centers and provision the technologies to cover the requirements of PCI that are not covered by the SAS-70 audits. I will give you the SAS-70 audit results to hand off to your auditors as part of the package whether the systems are affected by PCI or not. Same technologies and processes, and I bring the networking, application, and compliance expertise to the table on an ongoing basis. There are also SLA’s, and additional services that I will bring to bear if the need is there. I will do as much or as little as you need.

This second option has been the most popular for two key reasons – it is paid for as an operating expense, so there is no capital expense investment and it stays off balance sheet. The second is that the expertise acquisition required to deliver a solution is cost prohibitive for most Level 3 and 4 organizations, so this is a financially viable option for leaner shops being able to tap into a broad knowledge and resource base. It is a single monthly number for infrastructure, services, and auditing, including the on-site QSA certification in my data centers. Fixed costs.

A third reason people want to talk to me is that although they may be a Level 2, 3 or 4, they want to play at a Level 1 operation to strengthen their relationships with customers, and be proactive about mitigating risks, and being a Level 1 because of a breach.

The costs vary based on how non-compliant you are and what your infrastructure looks like. If I can help, and save you money in fines or operations I will spell out how much. If I can’t I’ll let you know sooner rather than later so we can both pursue other avenues.

Send an email to pcistuff@gmail.com to learn more or to discuss your situation.

My PCIStuff 'Playbook'

2007-08-27T06:03:00.000-07:00

For anyone trying to wrap their brains around how to implement a PCI compliant solution for their infrastructure, email me. I will send you the spec on what I have developed for two companies and was compensated to see it implemented (it exceeded the spec).

It is not a detailed step by step, 'buy this product', or 'implement it using this company' or other very specific how to (that's why people pay me). But it works, is not expensive, and I can offer a compliant solution as a service to keep it off balance sheet.

pcistuff@gmail.com

Please tell me who you work for and how I can help in the email. I keep track of this stuff for my own tracking. I did this with my identity management playbook and it wound up in the hands of folks all over the world and helped me establish some new relationships.

Mark

Have you been Compromised?

2007-08-09T10:51:00.000-07:00

I was reading Michael Dahn's blog, and saw a link to https://www.stolenidsearch.com/ where you can type in credential information and find out if you (or your identity) have been bought & sold lately.

My devil's advocate came out (I'm a security guy at heart) and reared its head and immediately thought - if I set up a similar site, register a few domain names with some misspellings or use meta data from the legit site, I could in fact set up a very simple identity data capture site, claim it's more secure than Stolen ID Search because I require more information (like a CC#, zip code, etc.) and guess what - I'm in business as an identity thief. If someone stole this idea let me know, it's not that hard...

Oracle's Database Vault

2007-08-08T08:16:00.000-07:00

I had the chance to sit down with Oracle yesterday and discuss what their role in PCI compliance was and was pleasantly surprised when the topic of their Database Vault product came up.

The thrust of the offering is to encrypt and protect data at rest so that your DBA's don't know your financial results before the CFO does. It will take protection from the port of the app into the column level and this is pretty slick for a number of reasons:

1. It gives fine grained access control and auditability inside the database where all the juicy information is stored.

2. It will encrypt and fuzz the data so that you can only see subsets (i.e. last four of a social security number, etc.) of the data tied to a recored (PAN).

3. It is a proactive policy based mechanism for where the sensitive data is, and goverened by policy so once policy is set, access to data is too.

The one question I asked that has serious ramifications (good ones) was - is the Database vault product considered and validated as an application layer firewall for databases. No answer yet, but I'll keep the community updated.

pcistuff@gmail.com

Breakdown of PCI Merchant Levels

2007-07-26T10:31:00.000-07:00

PCI Merchant levels and what it really means:

Level 1 >6,000,000 transactions annually

500,000 Transactions per month
~16,667 transactions per day

Fortune 100 retailers, web retailers, National and international banks, oil companies owning gas stations/convenience stores

Level II 1,000,000 – 6,000,000 transactions annually

83,334 transactions per month
~2,778 – 16,667 transactions per day

Convenience stores, utility companies (phone,electric, cable) small to medium retail stores, and web sites

Level III 20,000 – 1,000,000 transactions annually

1,667 -83, 334 transactions per month
~55 - 2,777 transactions per day

Small businesses, corporations who accept credit cards as a payment option

Who is the enforcement arm for PCI? The new 3 letter agency?

2007-07-16T11:58:00.000-07:00

I recently found out that the QSA's are the enforcement folks in the PCI Compliance arena. They need to sign off that not only are they a solid choice to audit you, but they'll be forced to blow the whistle if there is anything amiss.

This got me thinking... Who else is offering a pre-audit who is not a QSA?

It's pretty clear what needs to be in place, it's also pretty clear when something is not, it's also very clear that you want to use a third party so that no cover your ass things take place in the ranks.

So are there any other ex-cop/private investigator/black ops types out there? You know what I mean, they guys that KNOW the system but aren't PART of the system...

Wifi - The Hole You Can Drive A Bus Through?

2007-06-13T06:56:00.000-07:00

Having read more about the TJX breach and how it started - with wireless sniffing - and yesterday sitting in a parking lot of a Danbury, CT shopping center and being able to see 6 wireless networks, all identifiable by some naming convention that tied it back to the retailer, it got me thinking...

Is WIFI the big ubiquitous hole you could drive a bus through?

Yes the little lock showed up on my wireless network 'available networks' scan, but even me - who is slightly more technically capable than a junior high student - could have pulled down a WEP cracker and had some fun had my lunch appointment been late.

Folks, take a look at WIFI Owl and get scanning yourself before some interested party like me does it for you...

Mark

New Frontiers...

2007-06-13T05:58:00.000-07:00

It's been far too long since I have contributed something meaningful on my PCI blog and I felt compelled based on some work I am doing now, to finally post something with some interesting implications.

In the past 5 years, having spent a great deal of time in the identity management and compliance space the one thing that is repeatedly being talked about is the cost/benefit trade off of compliance. Historically the companies I've worked directly with are spending millions on relatively undefined compliance laws and are having a hard time figuring out how to pay for all of this imposed regulation designed to provide accuracy and transparency of financial information.

The PCI Compliance specification is the first piece of compliance directive that was designed by those in the industry vs. lawyers and politicians and it is because of this approach that I believe it makes more sense than some of the other stuff out there - HIPAA and SOX specifically. It also outlines the downside of not paying attention to the intent or implementations of controls and what they are designed to do. Way to go on clarity.

The one thing that I am starting to have discussions with companies about is how will PCI ultimately be enforced? Will it be auditors' responsibility to blow the whistle? Will it be based on the materiality of the gaps in their PCI program.

To this end I am working a lot of hours on designing PCI as a service. The biggest reason driving this is cost and where the costs hit a balance sheet. There is a fair amount of infratsructure cost tied to PCI if you're behind the times, and the operational controls and expertise on an ongoing basis are anothing thing to consider since PCI is not an event but something that ultimately must be baked into an organization's operational DNA.

What organizations are trying to figure out is how do they keep the capital infrastructure expenses low, and work with companies to provide not just auditing but ongoing compliance. Stay tuned for my thought on this in the next few weeks as I am close on a way to do this.

Mark MacAuley

pcistuff@gmail.com

Wifi Owl Take 2

2007-04-16T12:45:00.000-07:00

So I did some more playing around, and I personally think this has some legs. Here are some links to the reports (which is where I start most evals):

What else can do this?

Show encryption used in APs (click to see report) This report shows encryption method that access point use to protect data that are sent via wireleass network
Shows dates when security settings were changed (click to see report)This report shows dates of changes of Access Point security settings
Shows dates of last changes of encryption keys (click to see report)This report shows dates of changes of Access Point WEP encryption keys
Find APs that broadcast SSID (click to see report)This report shows list of access points that broadcast their SSID
Show APs with Default Admin ID (click to see report)This report shows list of access points with default user names. These access points are not secure.
Identify APs with default passwords (click to see report)This report shows list of access points with accounts that have default or simple passwords. These access points are not secure.
Find APs with community string = public (click to see report)This report shows list of access points with default SNMP community string. These access points are not secure.
Show APs with FTP Enabled (click to see report) This report shows list of access points with FTP service enabled.

PCI and SAS 70 - Mind The Gap?

2007-03-15T17:34:00.000-07:00

I am trying to figure out the gap between a SAS - 70 compliant facility/environment and one for PCI. Has anyone done a Gap Analysis on these two? I have my brain wrapped around PCI. Not so much on the SAS 70 piece.

The reason I ask is that I am watching what I believe to be an emerging trend - outsourcing for PCI compliance. In other words, outsourcing the liability (to some extent). The advantage I see to working with a managed services vendor who is SAS-70 compliant AND publicly traded is that auditing is already built into the business operations - it's not a new division, new effort, etc. it's habit. It is something that is already done and is an extension of the business/business model vs. something for them to figure out for me their shiny new customer.

Thoughts?

pcistuff@gmail.com

WiFi Audit solution - WiFi Owl

2007-03-09T06:10:00.000-08:00

I had lunch yesterday with a former colleague and we hadn't seen each other for a while and got together for Sushi and to discuss the state of the Union as it were. One of the things that we were discussing was a wireless audit solution that satisfies some key components of PCI.

I thought I would let some folks know about it since wireless is EVERYWHERE in the Level 1's out there, they can't survive without it. This is the first wireless audit solution I've even heard about. There are a ton of wireless security plays out there like AirDefense, Cisco/Perfigo, etc. etc. but the audit capabilities are an oh by the way, vs. a core set of functionality to the solution.

Anyway, take a look - Wifi Owl is the name, and I think this has some legs, especially if they can OEM this as a component to other vendors with a weak auditing play in their product or for consultants and the certified auditors - I smell a margin booster...

pcistuff@gmail.com

How Non-Compliant Can You Be and Still Be in Business?

2007-03-02T08:46:00.000-08:00

So I was in Maine recently in a vehicle that was allegedly due for an inspection, and was subsequently pulled over by a very cordial police officer in Biddeford. He wrote up a ticket, and I waited the requisite number of days to go online and settle up and/or contest the charges.

I went to the PayTixx website and punch in the requisite (public) information about my ticket. I then go to pay said fine, and just happen to notice that there is NO encryption/SSL on the site where I need to enter my PRIVATE information like credit card number, etc. etc. as evidenced by no padlock on the browser I was using. I used another browser (older) to rule out an obvious technical glitch. Nada. Zip. No Padlock. No Security. There is however a nice little graphic with the Maine.gov logo and a little padlock, allegedly ensuring that the site is secure.

Hmmmm, I must be on the insecure page. This logo links me to a page with details about the Transaction Security Policy (Full text at the end of the posting). So the State has a policy, a nice custom branded security looking logo with a link to the site, yet absolutely no validation from the technology they allegedly use to validate to me, the private information holder, that the site is in fact secure and using at least the 128-bit encryption they claim.

I'm no White Hat, Grey Hat, or Black Hat, but I do know a few and I have to say that there is a potential GOLDMINE here that is being funded by the taxpayers of Maine, for personal information of alleged drivers of different infraction types - speeders, uninspected motorists, suspended licensees, etc. etc. being poached and sold. Perhaps that is why CSC got thrown out of the State IT projects they were working on.

Don't tell me the State of Maine, or any other State can't afford better (ANY) security these days. Please DO tell me that the States will not contribute to identity theft anymore than they do. This is ridiculous. By the way - it is also NOT PCI compliant. Big Ding from Visa and Matercard, folks. They could fine you TODAY, and suspend your right to take these cards as payments - in fact if they did, they would insure the security and privacy of at least me today.

I will again urge that Mark Kemmerle, Donna Grant, or Matt Dunlap please return the calls I have made into your office.

I am more than willing and able to help improve the *real* security - and now, it's personal on why you need it.

identitystuff@gmail.com

Maine's Transaction Security Policy

Maine state government and InforME take Internet security very seriously. Our technology and policies are designed to make your online transactions safe, private and secure. Documented steps are taken to safeguard information according to established security standards and procedures and we continually evaluate the newest technology for protecting information. Sensitive information passed in online transactions such as social security numbers, banking information, and personal data is confidential. Please refer to our privacy policy for details about the collection of information from visitors to state websites. Whenever you see this icon on a Maine state government online service, you can rest assured that the following safeguards and security criteria are in place: Transactions involving sensitive information occur on a secure server. You can look for the "lock" symbol at the bottom of your browser window to verify that you are on a secure server. Our secure socket layer (SSL) software uses state-of-the-art 128-bit encryption to ensure that your personal and financial information cannot be intercepted during transmission to our server. All information requests pass through hardware and software security firewalls. Communication between InforME servers/systems and State databases is passed via a secure private network. Encrypted personal information includes credit card numbers as well as social security numbers and banking information.

Two Factor Authentication - Squared

2007-02-26T06:52:00.000-08:00

I was working with a large SI last week who does a lot of work for the government. I was there to prove out a solution to protect their DHCP servers from unatorized users getting an IP address and subsequently on their network, and their customer's network. I showed them how the solution worked in 15 minutes and was done with that part of the discussion.

The next part was around authentication. Part of it was academic discussion, part was to think through a business problem - authentication, and how much is enough. We were able to figure out that with the same solution we just used to solve one problem would also solve another, and one that is on the minds of anyone working on HSPD-12 initiatives.

Long story short - four factor authentication. Two factor authentication, squared, or 2F2.

Here is how it works:

I identify the user in two ways - PIV Card, and Login credentials (PAC & LAC Controls)

I identify the machine in two ways - by unique machine ID (hardware serial numbers encrypted in every packet), and certificate exchange.

Unalterable, proven, and deployed in days.

Why does this matter for PCI?

Audit - Be able to see every network layer event, by who, from what machine, in real time.

Control - Make policy based access decisions based on 4 different attributes providing the ultimate in flexibility and rollout options. For example - known/trusted user AND known trusted machine on my LAN - access to what they need to do their job from DAY ONE (email). Known user/unknown machine (vendors/guests) get access to Port 80 only so they can demo, check webmail, etc.

At the macro level -

You have just scoped down your threat vector area to only those you know and trust, be they machines and people.

Add to it the functionality of immediate real time alerting in the event something bad looks like it is happening, and reporting to understand exactly how they tried to do what they did, were blocked, but still logged - Priceless...

pcistuff@gmail.com

PCI Fines and Compliance Dates - Hot topic

2007-02-19T17:13:00.000-08:00

March 31, 2007 - must complete attestation, signed by an officer of the corporation, stating that no: Track data, PIN block data, or CVV2/CVC2 data is stored — else fines of $10,000 per month.

Sept. 30, 2007 - must be compliant or monthly fines of $5,000 are levied.

Dec. 31, 2007 - must be compliant or monthly fines of $25,000 are levied.

It has been almost 2.5 years since the original deadline for compliance on September 30, 2004. Companies that have not met the compliance requirements are in for a rude awakening. Hopefully you started the process long ago and are just finishing up now.

They can still revoke your ability to accept cards as payment which is a double whammy and pretty careless given that you can get a solution end to end (including documentation) for $100-150,000 USD.

Mark

Relentless Pursuit of Better...

2007-02-09T10:44:00.000-08:00

Lifted from another blog...

An unusual post, but it is the New Year and we might as well start with a bit of reflection on innovation and elegance. Follows are excerpts from “Elegant Solutions - Breakthrough thinking the Toyota Way” by Matthew E. May. Thank you to Guy Kawasaki for pointing to this manifesto.

“An elegant solution is one in which the optimal outcome is achieved with the minimal expenditure of effort and expense.”

A big lesson - “Avoid the Temptations
Swinging for fences. This is the “homerun or bust” trap, which invariably destroys a strong batting average over time. It carries with it huge risk, usually accompanied by high cost.
Getting too clever. This is the “bells and whistles” trap, which can easily get out of control in an effort to outdo competitors. It carries with it the danger of complexity and customer alienation.
Solving problems frivolously. This is the “brainstorm” trap, which is misguided creativity far afield from company direction. It’s a symptom of poorly defined work, and fraught with waste. There’s a reason we call it an organization.

Small baby steps and keep the ideas simple. I am certainly guilty of number 3, but I believe in the same breath that without these activities my truly elegant solutions would never come to bear.

“The pursuit of perfection is not focused on achieving perfection, it’s focused on chasing it. Perfection is unachievable…it’ll never happen. We’ve become impatient with mastery. If you can’t achieve perfection, why bother? Because you have to. Otherwise you’ll always be a follower.At Toyota the mantra is: no best, only better.

“I love the idea that perfection is unattainable, yet is within our grasp. The idea of continuously redeveloping oneself and one’s art as a process of perfection is very inspiring.

“All artists work within the confines of their chosen media, and it’s the limits that spur their creativity. The canvas edge, the marble block, the eight musical notes—the resources are finite. So it’s how you view and manage them that makes all the difference.

And that’s the big question: Are limits preventing innovation, or enabling it?There’s only one right answer. Innovation demands exploiting limits, not ignoring them.”

Limits of resources is a forever challenge to those working in every industry around the world. The Toyota concept of embracing these constraints and finding innovation is an uncharacteristic way of viewing these deficiencies. It is very practical to consider constraints for those who (in our context) manage businesses and IT controls. There is always a budget and unfortunately only 24 hours on that clock. The ability to work within these boundaries and excel is a challenging and worthwhile path.

“Keep it Lean

Complexity kills—scale it back, make it simple, and let it flow.More is often just more. Unless it’s more simple, accessible, timely and efficient, which really means it’s less complicated and complex. When it comes to solutions, size and sprawl matter. Be-all, end-all, feature-rich solutions almost always miss the mark. Because they’re over-scoped and too complex. They’re usually proof that we lack real insight into our customer’s desires. Complexity destroys value, which is what matters most to the customer. The most elegant solutions always seem blazingly simple.

The opposite of most organizations and product solutions that try to throw a kitchen sink at a problem. Addressing a problem in a simple fashion is key to controlling costs - emotional, capital, and intellectual. Consider implementing a complex application for a single task - will it be used? Will every feature be used?

My favorite (and I admit I am an addict): How many features of Microsoft Excel do you use? How many versions have they been in the application (since the end of time you say?!) - why did you just buy another version to upgrade? Balance the simplicity with the problem at hand. Something that is paramount to addressing compliance and regulatory concerns. Documentation should be simple and direct.

Controls should be clear and operating. Long explanations are not necessary (to auditors or lawyers) if the work is elegant.

Stepping Up PCI Compliance

2007-02-07T05:57:00.000-08:00

Common sense is entering the picture finally...

Although it was already too late to prevent the TJX data breach, Visa in December said it would begin offering $20 million in financial incentives and create new sanctions to spur merchant compliance with PCI through its Visa PCI Compliance Acceleration Program. "The initiative's goal is to eradicate the storage of full-track data, CVV2, and PIN data, and grow PCI compliance among this group of merchants," Visa said in a statement at the time. Merchants in full compliance with PCI by March 31, and who have not had any of their data compromised, will be eligible to receive a one-time payment, although Visa doesn't specify the amount.

Visa has for the past two years been handing out fines for noncompliance with PCI. In 2006, Visa assessed $4.6 million in fines, up from a 2005 total of $3.4 million. Banks that process credit card transactions for businesses will be fined up to $25,000 monthly for any of their largest merchants--those that process more than 1 million Visa transactions annually--not in compliance with PCI by the end of the year.

These banks also are required to assure Visa that their merchants aren't storing full-track, CVV2, or PIN data by March 31, or the banks will be eligible for fines up to $10,000 per month.

What is the next step after a PCI audit?

2007-01-08T09:07:00.000-08:00

I am posing a generic question to see what the next logical step is for an organization. I have been thinking about a few scenarios and here is what I came up with:

1. Send the findings up the food chain to management and let them decide how important actually fixing it is and wait for orders.

2. Make your bones by actually having a solution in your hip pocket to address the holes in the audit and take it from "Here's how broken we are" to "and here is how I think we should fix it".

3. Outsource everything entirely, only there is no one to my knowledge willing OR able to assume the liability of non-compliance, at least from a technology standpoint (but what a business), although the technology exists.

4. Do nothing and see what happens. AKA roll the dice, AKA 'We're to small', or 'We just spent $100,000 on security last year, we'll be fine'.

What are YOU seeing? I am guessing #1 and #4 are getting a lot of consideration.

pcistuff@gmail.com

PCI Fines - The Teeth of PCI-DSS Compliance

2006-12-27T08:57:00.000-08:00

In 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million.

This new program sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level 2 merchants. Additionally, Visa is adding new fines to acquirers whose Level 2 merchant customers retain full-track data, CVV2 or PIN data after the transaction authorization.

Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.

From Visa

PCI DSS Requirement 5

2006-12-15T08:29:00.000-08:00

This is one area that NAC vendors are likely to latch onto, however ask them how they will give you NAC functionality, while securing and encrypting things on the network without a massive hardware footprint or IOS upgrade... TNT can

5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes. TNT will insure that the software is active, when the last scan was, tell you about any issues, and if policy is configured to quarantine a machine that is dirty, it knocks it into a quarantine zone.
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. TNT’s NAC alternative does this by insuring that the software is on, and will synchronize with a real time database of known worms, bots, and other malware
5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs TNT has the ability to tell admins whether or not the mechanisms are not only up to date but active, and quarantining the device until it is compliant

PCI Compliance - Where's the Beef?

2006-11-27T04:45:00.000-08:00

I might be dating myself a bit when I reference the old Wendy's ad, but I find myself compelled to beacuse it sums up the PCI Compliance rackets unfolding before our eyes. SO I must ask - Where's the beef?

I just did a Google Search on PCI Compliance, and got a lot of data but no real information back on the first page of the search. What I got was a lot of scanning/reporting/discovery links and solutions, but no real solutions. It's the equivalent of looking for a hamburger and getting all bun. Not what I had in mind. So what did I have in mind?

How about a reference architecture?

How about something other than a nice neat document format to tell me what I already know, just repurposed and re-formatted so I get credit for producing data, vs. producing results and solutions (which is what my bonus is tied to)?

How about something specific for a solution other than self assessment forms?

How about a bullet by bullet breakdown of a solution as it relates to each part of the PCI Specification?

How about some information that I can use? That I can validate/invalidate for myself in my environment? That does something more than tell me what I already know with absolutely no direction or opinion on what I could do?

Keep reading folks. I will share what I know, what I learn, and let you decide if it's right for you, and how useful the solutions are.

pcistuff@gmail.com

PCI Sample Architecture

2006-11-21T05:21:00.000-08:00

I have been asked quite a bit to produce a diagram that outlines at a high level, a sample architecture. I finally did it and it is posted above. There are a few things I want to point out:

1. I am no Visio expert, but you should get the point
2. This diagram assumes you have encryption on the network already
3. This solution will cost less than $100,000 and you can also add in the benefits of NAC with the same architecture.

Bottom line is that this is simple, powerful, it's deployed in production today (I helped design the solution) at a customer site, and inexpensive considering all it does. Ping me if you want to know more - pcistuff@gmail.com

Requirement 4 - All about Encryption

2006-11-20T10:46:00.000-08:00

Requirement 4: Encrypt transmission of cardholder data across open, public networks

4.1 Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS).

•4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
• Use with a minimum 104-bit encryption key and 24 bit-initialization value
• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS
• Rotate shared WEP keys quarterly (or automatically if the technology permits)
• Rotate shared WEP keys whenever there are changes in personnel with access to keys TNT allows organizations to terminate access to ALL environments in seconds, even if the employee has access to an organization owned machine
• Restrict access based on media access code (MAC) address. TNT is more comprehensive than this. MAC addresses can be spoofed. Multiple serial numbers from multiple hardware attributes combined with authenticated user data cannot.
•4.2 Never send unencrypted PANs by e-mail.

PCI Requirement 3

2006-11-20T10:31:00.000-08:00

This is some of the meat of the spec, in my opinion. This is yet another area for managed service providers to develop a solution for this. It wouldn't be that hard.

Requirement 3: Protect stored cardholder data

•3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
•3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted).
•Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3:
–3.2.1 Do not store the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data
–In the normal course of business, the following data elements from the magnetic stripe may need to be retained: the accountholder’s name, primary account number (PAN), expiration date, and service code. To minimize risk, store only those data elements needed for business. NEVER store the card verification code or value or PIN verification value data elements. Note: See “Glossary” for additional information.
–3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions
•Note: See “Glossary” for additional information.
–3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.

•3.4 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:
• Strong one-way hash functions (hashed indexes)
•Truncation
•Index tokens and pads (pads must be securely stored)
•Strong cryptography with associated key management processes and procedures.
–The MINIMUM account information that must be rendered unreadable is the PAN.

If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: “Compensating Controls for Encryption of Stored Data.”
–3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control

Payment Card Industry (PCI) Data Security Standard 5
–mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts.

•3.5 Protect encryption keys used for encryption of cardholder data against both disclosure and misuse.TNT will allow a company to restrict and audit in real time, access to all sensitive data. Including access to the network, the server, and the application in which it is stored. TNT will also cloak all of the sensitive assets so that if a user using a specific machine tries to access an application.
•3.5.1 Restrict access to keys to the fewest number of custodians necessary TNT will enable and enforce from 2 to n users from 2 to n specific machines
•3.5.2 Store keys securely in the fewest possible locations and forms.

•3.6 Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data, including the following:
–3.6.1 Generation of strong keys
–3.6.2 Secure key distribution
–3.6.3 Secure key storage
–3.6.4 Periodic changing of keys
As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically. At least annually. The TNT Solution offers one of the most compelling ways to handle this that I've seen. Their software binds the user's fully qualified domain name (post authentication) AND a unique machine ID together, hashes and encrypts it and then inserts it into the packets leaving a machine. This means that if the machine is lost and/or compromised that the machine and the user will noyt be able to gain access to that application from that device again. If hardware changes on the machine (someone installs another hard drive with hacker tools) then the machine invalidates itself and must get a new software key.
–3.6.5 Destruction of old keys
–3.6.6 Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key)
–3.6.7 Prevention of unauthorized substitution of keys
–3.6.8 Replacement of known or suspected compromised keys
–3.6.9 Revocation of old or invalid keys
–3.6.10 Requirement for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities.

PCI Requirement 2

2006-11-20T10:16:00.000-08:00

This entry covers Requirement 2 for PCI Compliance. In essence there is aquite a bit of common sense that went into this requirement, but as we see in other aspects of life, you should not ignore pointing out the obvious.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information.

–2.1 Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).
–2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wireless equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. TNT will allow you to control access by endpoints allowing only users from authorized devices to access your environment

- 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).
–2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)
–2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function)
–2.2.3 Configure system security parameters to prevent misuse
–2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

-2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access. TNT will work with any encryption technology in place so that you can extend what you already have/own.

-2.4 Hosting providers must protect each entity’s hosted environment and data. These providers must meet specific requirements as detailed in Appendix A: “PCI DSS Applicability for Hosting Providers.” TNT’s solution is ideal for data centers, allowing the providers to audit, segment, and enforce entire customer environments with a single piece of technology. In fact if I were going to start a business, it would be to use TNT as a service offering to secure and audit the most sensitive data of customers.

Level 2, Level 3, and Level 4 PCI Solutions

2006-11-17T08:11:00.000-08:00

I thought I would start another blog for pcistuff to keep it separate and distinct from my Identitystuff blog where I discuss Identity Management issues.

This initial entry is designed to lay out what specific parts of the PCI Specification I can satisfy in less than a week. At the highest level, I can't help with encryption or documentation, but anything to do with limiting access and auditability I will absolutely help with. The stuff in Red is where I will help. I also did all of the hard work for you if you are evaluating solutions.

PCI Requirements:

•Build and Maintain a Secure Network
–Requirement 1: Install and maintain a firewall configuration to protect cardholder data
–Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
•Protect Cardholder Data
–Requirement 3: Protect stored cardholder data
–Requirement 4: Encrypt transmission of cardholder data across open, public networks

•Maintain a Vulnerability Management Program
–Requirement 5: Use and regularly update anti-virus software
–Requirement 6: Develop and maintain secure systems and applications

•Implement Strong Access Control Measures
-Requirement 7: Restrict access to cardholder data by business need-to-know
-Requirement 8: Assign a unique ID to each person with computer access
-Requirement 9: Restrict physical access to cardholder data

•Regularly Monitor and Test Networks
-Requirement 10: Track and monitor all access to network resources and cardholder data
-Requirement 11: Regularly test security systems and processes

•Maintain an Information Security Policy
-Requirement 12: Maintain a policy that addresses information security

Specifics:

PCI Requirement 1

•1.1 Establish firewall configuration standards that include the following:
•1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration TNT Does this in real time
•1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks TNT Auto discovers users, machines, networks, servers, applications (port)
•1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone TNT will segment and enforce your policies by user, device, group, application, server, health posture or network
•1.1.4 Description of groups, roles, and responsibilities for logical management of network components TNT proactively manages this in real time
•1.1.5 Documented list of services and ports necessary for business TNT will auto discover ALL ports (even rogue) and allow you to report them in real time
•1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN) TNT logs all connection data between users, machines, and ports
•1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented
•1.1.8 Quarterly review of firewall and router rule sets TNT will enable you to establish and audit policy in real time, before enforcement is enabled
•1.1.9 Configuration standards for routers.

1.2 Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. This is what TNT’s solution does
1.3Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following:

•1.3.1 Restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) TNT denies ALL connections that are not from a specific user, machine, IP address, etc. providing unparalleled control
•1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ TNT will control access from and access to specific networks, machines, and resources in real time allowing specific segmentation policies to be set and proactively enforced.
•1.3.3 Implementing stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are allowed into the network) This is TNT’s core functionality – TNT controls access to resources and networks based on what identity attributes are in the SYN header of every TCP/IP packet on the network
•1.3.4 Placing the database in an internal network zone, segregated from the DMZ TNT establishes a virtual physical zone so that only one user from one machine has access to a single application, even if there are other applications on the same server
•1.3.5 Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment TNT’s solution restricts by user, machine, subnet and health level
•1.3.6 Securing and synchronizing router configuration files. For example, running configuration files (for normal functioning of the routers), and start-up configuration files (when machines are re-booted) should have the same secure configuration TNT eliminates the need for this
•1.3.7 Denying all other inbound and outbound traffic not specifically allowed TNT does this in real time with unparalleled granularity
•1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes) Installing TNT’s solution behind an AP, allows you to track and control EVERY connection through it
•1.3.9 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network. TNT’s solution builds a unique and unalterable identity of each machine in the environment and combines this with authenticated user information to create pervasive identity against which access controls are applied

•1.4 Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). TNT would accomplish this by keeping all non identified/known users from any and all networks, infrastructure, applications and data in an enforced policy
•1.4.1 Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic TNT will allow an organization to deny all signalling within and between networks in seconds
•1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ. TNT will lock down specific resources by users, machines, and networks to each other
•1.5 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). TNT stops all masquerading of identity because we have a known users FQDN & unique machine ID hashed and encrypted and embedded in every packet. You cannot be anyone else from any other machine. TNT's solution is transparent to NAT. We always know it's you and what machine you're using.

Stay Tuned for PCI Requirement 2!!