Adam Myers

Hello and welcome to our podcast Tales from the CyberLab. My name’s Adam Myers, I’m the Sales Director here at CyberLab and I’ll be your host for today. I’m joined by Tharun – welcome! Can you just tell us a little bit about your role and what you do on a day-to-day basis?

Tharun Udayasankar

Sure. So myself, I’m working as a Cyber Security Consultant for CyberLab. And my job role involves certifying organisations on cyber essentials and cyber assurance mostly. And I do the consulting for scoping an organisation for achieving cyber essentials and cyber assurance. And I would provide some education and awareness on how to achieve these cyber essentials and also what are all the things that are involved apart from that aspect.

Adam Myers

Amazing. And what we’re going to be discussing today is around PCI DSS. So can you just maybe tell us a little bit about what PCI DSS is and what sort of, I guess, organisations are trying to achieve by getting that sort of certification?

Tharun Udayasankar

Sure. So PCI DSS: the abbreviation is Payment Card Industry Data Security Standard and card companies like American Express and MasterCard and Visa and two more other banks as well. So they all combine together and formed a framework called PCI DSS and that sets us a baseline for any business that handles cardholder data or for a business if they use a card for a transaction. And it is essential for that business to ensure that they follow the PCI DSS framework and it must have been implemented in their organisation as a compliance.

Adam Myers

Right. Amazing. So is that something they’ll work towards annually or how often will they look to achieve that standard?

Tharun Udayasankar

Yes, it differ from organisation to organisation and it has to be achieved annually and it has to be there if a business transactions or processes, the cardholder data, it is mandatory for them to have that compliant at all times basically.

Adam Myers

So essentially if e-commerce websites or anyone taking merchant payments, they need to work towards that sort standard?

Tharun Udayasankar

Yes, definitely. Banks and service providers mostly require any merchant to have that PCI DSS compliance report available with them. And that must have been completed within a year or in a 12 year gap, sorry, a 12 months gap basically.

Adam Myers

Okay. Yeah, I guess there’s probably a lot of organisations that, are they fully aware of that? I guess they might need some help and support in trying to achieve that standard because I can imagine there’s certain tick boxes and certain areas that you need to consider as part of that review. So I guess that’s where you and your role on day basis helps with that I guess.

Tharun Udayasankar

Sure. It is mandatory for those organisations to ensure that if they are processing cardholder data or if they are even receiving the card, in order to just tap on their PDQ machines to complete their transaction, they have to be confident that the cardholder data that they have processed at that moment is completely secure and they’re not going to, there is no loopholes or any grey areas bad that the cardholder data can be available or accessible by anyone other than the bank or the merchant.

Adam Myers

Okay. Amazing. So just into our next topic, so what are the common challenges businesses face with PCI DSS?

Tharun Udayasankar

First of all, they have to understand that it’s their responsibility to be compliant to the PCI DSS. For example, if it doesn’t matter if it is going to be a corner shop that we purchase a milk using a card and it can be as big as when we come home and upload our card information to a steaming platform or to an e-commerce website for monthly or annual renewal. If an organisation holds a cardholder data, then it is the responsibility of them to ensure that that information is securely stored and securely processed. For example, if a company requests their customer to upload their cardholder data or just type their card information on their webpage, it can go into various levels. First it can be stored by the merchant by themself, and second it can be transferred to a third party service like Stripe or PayPal. So these kinds of differences is what an organisation must understand that which sort of services have they opted for. And based upon that their self-assessment questionnaire can change. And if that has changed, then the process towards achieving the PCI DSS compliance will also be changing. But sometimes it will involve vulnerability scanning performed by an approved scanning vendor and if not, they may require a QSA to completely audit them. And this can also differ based upon their amount of transactions that they do annually.

Adam Myers

There is levels to it, isn’t it, from what I understand. So level one to four and depending on number of transactions and equally the number of scans that you need to perform, whether it’s annually or quarterly. So I guess understanding that sort of framework that you need to operate and work towards, that’s kind where I guess you come in to help them help take.

Tharun Udayasankar

Exactly. So we will be having a discussion with them and then to understand what is their business and what is their business transaction type. And then based upon that we will be able to understand what is going on at the moment and then based upon that we’ll be able to guide them on how to be compliant.

Adam Myers

Yeah, amazing. What does CyberLab offer to support PCI DSS compliance?

Tharun Udayasankar

Yes. So the PCI DSS consultancy that we are offering, we can integrate that with the cyber essentials and cyber assurance services that we offer also. So we have a very good response from our customers or the clients that they have mentioned that the cyber essential process is well streamlined and it is easy for them to be with that process and then get certified on Cyber Essentials. And we are have applied the same theme on the PCI DSS assessment. So first we’ll be having a scoping call with them to understand what sort of business they are and what sort of transactions that they handle. And next upon having that understanding then we will be having some detailed discussion with the technical team. It’s kind of a gap analysis and we will find out what are all the areas that needs to be improvised and what are the areas that needs to be compliant and already compliant and how the scope can be modulated as well because it is a scope that plays a vital role in achieving PCI DSS compliance. And so once we have determined the scope, this is what it is going to be. Then if it requires a vulnerability scanning, then the vulnerability scanning would be performed by approved scanning vendor, a PCI DSS approved scanning vendor and we have partnered with them and they will be the one who will be configuring the scan and performing the scan and identifying the vulnerabilities and reporting it to the customer and we will be providing guidance on how to fix that vulnerability. And then if it has been remediated, then we will be contacting – and rescan will be conducted. And it’s an ongoing process because most customers would require a quarterly scan to be done as it is mandatory for them and a few may not even require a scan basically. But on that perspectives to be on a safer side, we suggest that an annual scan or a periodic scan done on there webpages is required to be safe and to feel like you.

Adam Myers

Yeah, good. So I guess there’s there it’s like payment fraud’s huge isn’t it? And potential that if you were to gain access. So I guess when you are doing this vulnerability scanning and looking at the network, I guess that is the endpoints that maybe PD DQ machines that were attached and whatever. So you’re kind scanning that I guess that network aren’t you, to make sure that it’s safe and that’s part of that pen test process and vulnerability scan process that you kind of undertake. Is that right?

Tharun Udayasankar

Definitely. Since you mentioned about PDQ, if an organisation has a PDQ machine and if it is connected to the company wifi network, it is mandatory for that organisation to have a vulnerability scanning performed on their external or public-facing IP address and that would change their approach towards what they will have a idea of how secure the network.

Adam Myers

Yeah, I guess you’d segment that network, wouldn’t you to lock it down to some extent and whatnot. But I guess the big one is probably online now, isn’t it? More and more like you said, Stripe and certain PayPal, most sites now do e-commerce and I guess that’s just on a whole different scale. I guess in terms of potentially the ramifications, we actually did a live hack, which we performed around inputting malicious code and SQL into potential databases to target e-commerce sites. So again, there’s lots there that can expose organisations really.

Tharun Udayasankar

Definitely. And after the COVID there has been a surge in the e-commerce websites and businesses that are using card transactions or NFC’s (contactless payments). Basically the search to that has also resulted in attacks being conducted on smaller businesses as well where the PDQ machines can be forged and card skimming has happened through that as well. So there has been cases report to that. And so right now I think there’s around like 96 specific surge in that specific attack types. So

Adam Myers

What is card skimming exactly? Just if you can explain that to our audience.

Tharun Udayasankar

Definitely. So card skimming, basically if imagine a scenario where you go to the corner shop and tap your card and then purchase a bottle of milk and then come back home. If the card machine is not encrypted or is it is a completely forged one, which can store and store your cardholder data information, your M strip information, your pin numbers, if sometimes we may face a situation where we have to insert the card and type the PIN numbers and if the machine is forged and if it can store the pin numbers of a card information and other details as well, then that can basically, that’s called card skimming and that can lead to any attacker can of a card information and making a financial loss to us.

Adam Myers

And if anyone is interested in seeing that SQL injection hack that we did do please like to subscribe, we can share that to our users. So a really insightful way demonstrating how we can bypass systems and tools. Brilliant. So how has CyberLab helped clients succeed with PCI DSS?

Tharun Udayasankar

So first I would like to share this with a live example, which we did. So we certified an organisation on their cyber essentials and a few weeks later we got a call from the director and they wanted us to help with their SAQ as well, the self-assessment question that was completely, we were not prepared for that and it was not our daily job at the time as well. So what we did was we requested the SQS to be sent out and then we reviewed it and then we understood that okay, we definitely need a gap analysis call with the client. And then we organised that and then we understand what is their business, it’s a radio company, we understood their business and then we understood what are all the payment methods that they had. So what we did later was we required some documentations. So that is where cyber Lab has a very good process in receiving the documentations and analysing it and finding out what are the information that are required and what are the pieces of missing information. We found out that, and then we provided that back to the client and they were able to share that information as well. And we found out that they require a certain level of SAQ and certain level of vulnerability scanning as well. And we were able to make them concrete on PCI DSS. So that is how we started implementing the team that we have on Cyber Essentials and on the Cyber Essential plus as well. So we found we had a gap analysis call with them and then we understood their requirement and then based upon that we were offering the line of services that we could offer not just throwing all the services at them very specifically tailor what it would require for that specific organisation.

Adam Myers

Yeah, I think for anyone listening, it’s quite a useful thing to be able to come to a single company to be able to perform all that. So you can get cyber essential cyber essentials plus you can also look at doing PCI DSS, you can do your penetration test. I think that for me is a way that maybe you might look at that quarterly or annually or after major project change, but it’s a really good way to make sure you’re compliant and tick those boxes. Definitely.

Tharun Udayasankar

And since we did these cyber essentials, we were having an idea about what is their infrastructure is and we were able to have some documented informations as well. So what we require, if we had it already, then we would suggest that, okay, we have it already and then it’s just the other parts that they have to be working on. Yeah,

Adam Myers

Amazing. Is there any real life examples of maybe where we’re seeing big payment card frauds happening in the news or been announced that you were maybe are users aware of?

Tharun Udayasankar

Sure. It was in the year 2018, there was an attack on Ticketmaster website, so consortium with the attackers who mainly target on payment processing of an organisation called Magecart. So how they worked was they would target a company or a third party vendor’s payment processing webpage. So they would inject it with a JavaScript code and that would sit on that website silently and observing all the transactions that are happening. And that’s how they got hold of millions of cardholder data and it became a huge impact for line of companies who were using that as a service. It was British Airways, that was one of the major company that got affected as well. So it is a responsibility of organisations to ensure that not just if they have outsourced their, for example, imagine a scenario a small company have outsourced their payment page to a third party organisation like Stripe. And if their website has been compromised where an API programme can retrieve the payment informations from the website and it is still processing in the background where a third party services like Stripe is responsible for payment transaction storing, but they wouldn’t be aware that there has been a loophole or someone has been targeted where their information has been extracted from a third party vendor, the smaller companies. They have to make sure that, and that is the reason Cyber Lab has been suggesting that vulnerability scanning to be performed on their website regardless of if they have outsourced their payment pages to a third party organisation, it is responsible and only based upon that they will have a clear idea on how their website is, how their external facing IP address is secure and if the infrastructure is secure as well.

Adam Myers

So really anyone taking payments online via e-commerce or payment over the web, essentially it’s your responsibility to make sure that that is secure and that you are sort of interacting with third party payment providers essentially. Is that the takeaway?

Tharun Udayasankar

Yeah.

Adam Myers

So what makes CyberLab’s PCI DSS service stand out in the market?

Tharun Udayasankar

At CyberLab, have always been known to simplify the requirements to the company or to the business and we would help them identify the scope and based upon the scope we would be working with them to help them achieve that standard or that certification. And same on the PCI DSS as well. PCI DSS can be vast for an organisation, but we CyberLab have simplified that process to the customer and we have helped them identify which set of SAQ will be applicable to them. And once we have identified that, then we’ll be proceeding with the other parts of the processes as well. Whether they require a vulnerability scanning or whether they require a penetration testing. And if a QSA is required, then it has to be done with a company that has a QSA as well. So we advise them on which will be the most suitable solution to them.

Adam Myers

Yeah, I guess with things like supply chain risk working and trading in the general marketplace, if you want to partner with somebody, you want to make sure that that organisation you holds your information or your data or transacts for you is also secure. So I think achieving that standard of having PCI DSS but also Cyber Essentials or Cyber Essentials Plus is key, isn’t it, in terms of business as a whole, as sort of trade and how we operate as businesses in the uk.

Tharun Udayasankar

Definitely the organisations that would outsource their payment transaction to a third party organisation like Stripe or PayPal, it would make that organization’s life a little bit easier because they’re not going to be responsible to store the cardholder data or the process cardholder data because it is those giant organisations which have a very good security practises at their end who will ensure that the cut all the data off that merchant is secure, but it is still the responsibility of that merchant to ensure that there are no loop pools. So if an organization’s require vulnerability scanning, but we suggest that a vulnerability scan is required for a payment page or their external IP address at all times. And if it requires, then definitely it has to be done with an PCI-approved scanning vendor and they have a very good scan solution and through that the scanning will be conducted and it’ll be shared with us and with the merchant as well. So we’ll be working towards on being secure at all times. I answered your question?

Adam Myers

Yeah, that was very good. Yeah, no comprehensive. So yeah – and very detailed. I’m learning lots here. Learning lots. Hope the audience is too. Just leads me on to, so Hack Risk is coming out soon, which is essentially supply chain management risk and vetting your third party organisations that you operate and work with. So check that out. It’ll be launched in October, but look out on the website for further information on Hack Risk. Really exciting times. So what should businesses do if they’re interested in PCI DSS as a service?

Tharun Udayasankar

So they can reach out to CyberLab and one of our accounts team member, we will be in contact with them and then we can have a proper conversation about understanding their business. So we consultants will also be on the call with them and we will be able to identify what could be in scope and what could be out of scope and what needs to be explained in detail as well. Because that area is very much important for us to understand that we are not missing any of their infrastructure items away from the this PCI DSS scope.

Adam Myers

Yeah, yeah, it’s like a short questionnaire from what I’ve seen in terms of number of questions that we can ask, get an idea of your business and from there we can sort bespoke that package to work towards what revenue you’re trying to achieve. Yeah, amazing. Okay. So if there’s one thing we should take away from this podcast episode, what would your take on PCI DSS and businesses trying to obtain that accreditation?

Tharun Udayasankar

Sure. PCI DSS can be a little bit daunting and a little bit vague if applied to an organisation or to a business depending upon their size. But CyberLab can help them to simplify the requirement and simplify that entire process to them to be compliant. And organisations like charities and schools and colleges, they mostly outsource their payment processing to companies like Stripe or donation payment processes. But still it is essential for that merchant, in the sense, which I mean the schools, colleges, and charities. So they will have to be thorough that they are PCI DSS compliant as well and CyberLab will be able to help them be confident on that and help them achieve it.

Adam Myers

Amazing. Yeah. So that concludes this episode of Tales from the CyberLab. Join us next time for next month’s episode. Until then, Stay Secure.