PCI-DSS 3 E-Commerce Learning

Disclaimer: This articles is a part of my research into PCI-DSS, and is not a definitive source of information

Payment Card Industry Data Security Standard, PCI-DSS for short, is a standard for organizations that handle cardholder data of branded credit cards from the major card schemes including Visa, MasterCard, and American Express. It is maintained by the PCI Security Secuirty Standards Council.

Non-compliance to PCI-DSS can result in a range of consequences, including range of fines and liability implications.

Cardholder Data

PCI-DSS defines cardholder data as follows:

  • Full PAN (primary account number)

When the full PAN is present, other sensitive data includes:

  • Cardholder name
  • Expiration date
  • Service code

It is allowable that a PAN’s can be masked for display by showing the first six and last four digits.

Compliance Extend beyond IT

While IT can help to make it easier to manage processes, but there is no way to replace responsibility and ownership of critical customer data.

Even if IT solution is purchased from a vendor claiming that they have attained PCI-DSS compliance before, it actually cannot encompass all of the control objectives required by PCI-DSS when an organization uses an instance of such a vendor solution. There are many controls apply to business process rather than any IT implementation.

For example, just because a website is hosted on SquareSpace, it doesn’t mean they are automatically PCI-DSS compliant. I wonder how many organizations actually do the due diligence of reading into what compliance actually requires when given the complex jargon of the documentation and numerous IT requirements to actually be compliant.

E-Commerce SAQs

Self-assessment questionnaires (SAQ) are validation tools provided by the PCI Security Standards Council intended to assist merchants and service providers in self-evaluating their compliance to PCI-DSS. The language of these SAQs would likely take an IT professional who has looked into PCI-DSS to see which one actually applies a particular e-commerce solution.

 

For e-commerce, one of SAQ A, SAQ A-EP or SAQ D would apply. Each contain a different set of validation criteria and recommendations an organization would have to meet, along with the significant cost differences to comply to each.

In general, a merchant must always be PCI-DSS compliant if they accept credit card payments, even if the card is entered on another site. Payment processors such as PayPal/Stripe/Recurly would typically recommend the merchant to completing SAQ A at minimum.

 

Just because the requirement is not a checkbox on the SAQ, it doesn’t mean that the merchant can ignore being responsible for implementing the requirements of the PCI-DSS. For example, they still need to make an effort to secure their network as well as show evidence of this. I am reading that experts who are evaluating solutions which would fall under SAQ A actually use the SAQ A-EP as much as possible to mitigate risks.

The following diagram provided by the PCI council tries to show the distinctions of which SAQ to use in various documents:

E-CommerceSAQ

From SAQ_InstrGuidelines_v3-1.pdf

VISA Europe had published an e-commerce payments guide which is more clear which SAQ to pick, as pointed out by the PCIGuru blog:

Matrix

Vulnerability scans occurring every quarter from external ASVs (approved scanning vendors) are required in SAQ A EP, SAQ D, but not under SAQ A. The list of ASVs is maintained by the PCI Security Standards Council, and adds additional cost to operating an e-commerce solution.

Under SAQ A, the merchant server serving the redirect/iFrame is not in scope for PCI-DSS compliance because no part of the merchant’s server touches CHD (card holder data).

Types of Controls

Control objectives PCI DSS requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy 12. Maintain a policy that addresses information security

From PCI-SSC quick guide, pulled from Wikipedia

Consider SaaS and Avoid Self-Hosting

Speaking from my own experience, IT professionals who know how to solve the problem of creating an e-commerce solution may not have knowledge about PCI-DSS compliance and pick the wrong solutions for your organization as a result. These organizations may have to find out the hard way via a data breach or fine to happen.

With any IT solution, ‘economy of scale’ results in products which meet more requirements at an affordable cost. Use well-known true software-as-a-service (SaaS) platforms which provide explicit documentation and support on how to operate a PCI-DSS compliant solutions.

For example, I would recommend the likes of SquareSpace and Shopify to provide a solution instead of self-hosting store-front using WordPress or Magento for organizations who cannot afford to have dedicated IT operations. Trusting off-the-shelf WordPress plugins to be part of a PCI-DSS compliant solution has the potential for pitfalls. There is a similar challenge with picking PCI-DSS compliant web hosting.

Additional Reading

  1. PCI Security Standards Understanding PCI-DSS v3
  2. PCI Security Standards PCI-DSS v3 SAQ A
  3. Recurly – PCI-DSS Compliance

Windows Activation Admin Commands

Capture

Some useful notes for administration of for use with Windows 7/8/10 activation.

Tools

Retrieve Windows 7/8/10 key:

ShowKeyPlus releases as discusssed on TenForums

Commands

Needs to be executed with administrative rights

Show current Windows version

winver

Get licensing status and activation ID:

slmgr.vbs /dlv

Activate license and product key against Microsoft server:

slmgr.vbs /ato

Install a new valid key, where Xs represent a Windows key:

slmgr.vbs -ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Bring up the change product key prompt to change Windows edition or input a new key:

slui 3

Bring up the phone activation prompt:

slui 4

Additional Notes

In-Place Upgrade for Non-Activated Windows Installs

Windows 10 10586 build does not seem to allow for in-place upgrade of non-activated Windows 7 installs without forcing the user to enter another valid key, but Windows 10 10240 works.

Feature Upgrade from Windows 10 Home to Pro without Reinstalling Windows

When moving from Windows 10 Home to Pro edition, it is enough to use the product key change command ‘slui 3’, to change the product key to a Pro edition key to do an upgrade if you have a key available. It is not required to do a full reinstall, nor it is necessary to have to download any installation images of Windows 10. Once the feature upgrade to Windows 10 Pro edition has completed, use the ‘slui 3’ command again but with a genuine Windows key and proceed with normal activation. To prevent failed activation of the generic key, disconnect from the internet before a the genuine Windows key is entered.

MMMan

Promising Smartphone Trends in 2016

While 2015 would be considered a year of stagnation in the world of Android based smartphone hardware for some, largely due to disappointing high-end applications processors from Qualcomm, the year for 2016 should on track for consumers to regain confidence in the platform improvements in both power efficiency and performance.

Power Efficiency with SoC Die Shrinks

The move to 14 & 16 nm manufacturing continues to promise to reap great benefits for power efficiency in the year of 2016, with more manufacturers shipping their SoCs based on the updated processes.

On the application processor side, Snapdragon 820 promises major performance-per-watt improvements over its predecessors. Qualcomm should have their X16 modem chipset available this year to further improve efficiency.

Samsung launched the Exynos 7 Octa 7420 with a 14 nm applications processor in 2015, typically configured with the modem part at 28 nm with Samsung Shannon 333 or Qualcomm at 20 nm. The Exynos 8 Octa is expected to launch with the application processor and modem at 14 nm this year. Intel’s Atom applications processors have been on 14 nm for quite a while now, but their XMM7460 modem is supposed to be available late this year.

14 &16 nm manufacturing technology is starting to reap benefits for other chip vendors as well in HiSilicon’s Kirin 950 and Mediatek’s X30 platforms.

These change hopefully lead to significant improvements in battery life under mobile data workloads in more devices.

Performance Improvements with Sufficient Memory

Android device hardware for this year finally seems to be inline with what is needed.

There were still many devices released in 2015 which were not equipped with enough RAM, which resulted in significantly reduced system performance. For example, the Canadian LG Stylo released in 2015 had only 1 GB RAM before other allocations. However, at CES 2016, LG’s newest mid-range all seem to have sufficient memory (1.5 GB) on paper to be able perform well from a performance perspective.

Intel released a memory tuning guide in August 2015, and this finally seems to be consistent with what manufacturers are equipping their devices with today:

Density and Screen Size 32 Bit Device 64-Bit Device
Android Watches 416 MB Not applicable
hdpi or lower on small/normal screens
mdpi or lower on large screens
ldpi or lower on extra large screens
424 MB Not applicable
xhdpi or higher on small/normal screens
tvdpi or higher on large screens
mdpi or higher on extra large screens
512 MB 832 MB
400dpi or higher on small/normal screens
xhdpi or higher on large screens
tvdpi or higher on extra large screens
896 MB 1280 MB
560dpi or higher on small/normal screens
400dpi or higher on large screens
xhdpi or higher on extra large screens
1344 MB 1824 MB

– Minimum physical memory required by kernel and user-space in Android 5.1 (Intel Aug 2015)

Display Improvements

Look forward to more consumer devices adopting improvements in display technologies including IGZO and LTPS displays.

Other Trends

  • NAND storage speeds have gotten ‘good enough’ for most devices released in 2015 even on generic devices, and should no longer be of concern in newly released devices
  • Android 6 reintroduces the ability to expand internal storage using microSD expansion as well as significantly increased standby battery life, and should be considered compulsory
  • In 2015, we saw significant improvements in image quality for smartphones across all manufacturers, and this year should be a continuation of this trend. The major areas of improvement to look for are in low light performance, focus speeds, and video stabilization
  • Google will be looking to proliferate Android Pay, so look for devices equipped with fingerprint sensors and NFC to take advantage

Hardware Video Acceleration for YouTube on Chrome for PC

Capture

Google Chrome is one of my favorite browsers, but there are some tweaks particularly with YouTube video decoding which are worth looking for most users out there who are not using one of the newest Intel or Nvidia GPUs.

Revert to H264 from VP8/VP9

The easy fix is to install the open-source h264ify on the Chrome web store

Then if you check ‘Stats for nerds’ by right-click on a YouTube video, you can see that the mime type says ‘avc’ right after where it says ‘codec’. You are all done then! Watch your CPU temperatures drop!

After

The most common way for video decoding support to be broken is the fact that YouTube switched to WebM video formats VP8 and VP9 in their video browsers when using the HTML5 player. This video format is NOT supported for hardware decoding for some hardware configuration today, including all AMD graphic devices.

It’s great for Google to flout that the VP9 codec has been pushed to millions of consumers, but this comes at the cost of higher power consumption and lower performance compared to the universally hardware accelerated video format of H264 for hardware dating back 2008 (Intel GL40).

Video Card Blacklists

There’s may also be patches in Google Chrome to prevent hardware video decoding for Intel depending on the video driver installed, which blocks older Intel GPUs by default. This can be verified by going to ‘chrome://gpu/’ to see if ‘video decode’ has ‘hardware accelerated’ next to it.

This can be forced on with setting the ‘#ignore-gpu-blacklist’ in chrome://flags/, but you do run the risk of running into other rendering issues. My Lenovo Thinkpad X200 (Intel GMA4500MHD) drops video frames for all 720p 60fps YouTube videos to the point that the video becomes completely unwatchable, even with hardware acceleration turned on.

The way to check if your video-card supports VP8/VP9 video decoding is via DXVAChecker

TV Specifications 2015 Year-End Review

Video

The above shows the compression ratios for current and upcoming generations of TVs. For this current holiday season, UHD-1 TV sets (4k resolution at 60 fps) have premium pricing. We also have a slew of 4k devices only capable of 30 fps, which may be worse than 1080p devices capable of 60 fps, in my opinion.

  • Resolution – 4k resolution (3840×2160) has more dots per surface area, and can display more at a time
  • Framerate – 60 fps (frames per second) is considered the optimal rate for gamers because it represents smoother game play and eliminates noticeable frame judder. The same applies for TVs. Above 60 fps is considered to be good for action but not strictly necessary.
  • Color – technologies for HDR (high dynamic range), 10-bit/12-bit color depth, 4:4:4/4:2:2/4:2:0 color subsampling (bigger the better)
  • Connectivity – HDMI 2.0+ or DisplayPort 1.2+ connections are mandatory to guarantee sufficient bandwidth deliver the video signal. TVs do not typically come with DisplayPort connector.
  • Bitrate – Measured in megabits per second, this is only really a concern for streaming content over the Internet for most folks out there with some sort of data usage cap. Most connections can achieve the sustained download speeds required by UHD content. However, to sustain 10 Mbps stream over a hour typical of 1080p, it consumes over 4 gigabytes an hour.
  • Smart – usually means the TV can either playback files or connect to the Internet. However, smart TVs get outdated fast, as manufacturers typically are not good at updating the devices, and the software outpaces the TV sets by a large margin. TVs can last 5 years or more, but software tends to be obsolete in less than half that time
  • Content protection – you need HDCP 2.2+ for some newer content for copy-protection of UVD content, but that is only if you wish to buy a Bluray player that requires this.
  • Codec – there is some confusion here as well, because HEVC uptake has been rather slow, with branding causing even more confusion. As with previous video standards, hardware support for processing video efficient has been mixed.HEVC is also referred to as H265. The previous video codec which has been popularized was H264, specifically 8-bit. Hi10P is a specific profile of H264 which allows for a 10 bit color space for more accurate color representation, but there is very limited hardware level encoding or decoding support for Hi10P, particularly on PCs.
    • HEVC PC codec support as of 2015 – only Nvidia Maxwell 2nd generation cards support HEVC decoding in hardware up to 10 bit color space for UVD-1 compatibility, and Intel has partial support which is of limited use. AMD doesn’t support HEVC at all
    • HEVC streaming box support as of 2015 – for the Apple/Amazon/Google TV solutions, this is limited as well, even on the 1080p front. Do your research…

I am not very compelled at all by newer TV features past 1080p at this point. There just isn’t much consumable media available at a high resolutions of 4k, nor am I willing to spend extra to pay for the added quality in the color data. There’s a good chance that you need to invest in new playback hardware as well. I’m happy to stick with 720p content for a long while to come.

The exception is that higher video quality is nice to have for photography and videography. Smartphones technologies have been leading in this direction, but you would need a high resolution display and a compatible player to take advantage. This doesn’t bode well for TV manufacturers going forward for typical consumers with so much confusion in being able to understand the technology

Future

Reference:

 

LinkedIn – Beyond the ‘All-Star’ Profile

AllStar

Sharing a few outstanding tips after a recent learning session on LinkedIn, beyond getting your profile strength to ‘All-Star’ and actually making it count:

  1. Differentiate the headline beyond a job title
  2. Notify your contacts trigger to ‘No’ when making many changes to the profile until you need to let others know
  3. Customize all communications to others as much as possible: connections, messages, recommendations
  4. Thank people for connecting with you
  5. Summary section has a 2000 character limit, which would be effectively used and put key strengths and career highlights. Sample structure as follows:
    • credibility – past experience
    • story – with why you do what you do
    • value proposition – where you make a difference
    • call to action – do you want to be contacted?
    • success – list of accomplishments

Missing Pen/Stylus Cursor in Windows

Capture

After upgrading one of a Wacom active stylus based HP 2710P to Windows 10, the pen/stylus cursor disappeared.

This issue is corrected with setting the following Windows registry entry (regedit): HKEY_CURRENT_USER\Control Panel\Cursors\PenVisualization, as a DWORD type with a hex value of 23, as shown below.

Screenshot

(Stylus illustration from https://msdn.microsoft.com/en-us/library/ms702418(v=vs.85).aspx)