K3DES provides computer and network security assessments, network vulnerability scanning, application penetration testing, application code reviews, cryptographic and security consulting, cryptographic training, forensic assessments and fraud analysis for the electronic payments industry.

Payment Card Industry (PCI) Data Security Standard Assessments

The payment card industry has adopted stringent security requirements designed to protect the security of cardholder information. They are known as the Payment Card Industry (PCI) Data Security Requirements. Visa U.S.A.’s Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection (SDP) are programs for managing and enforcing compliance with PCI security requirements. Account Information Security (AIS) is the program that Visa Europe and Visa Asia-Pacific use to manage and enforce compliance with PCI. PCI requires many merchants and service providers to have an approved assessor perform an annual assessment to validate compliance using the PCI Security Audit Procedures document.

Internal and External Vulnerability Scans

PCI requirement 11.2 requires Internal and External vulnerability scans of network and system components. K3DES is an approved scan vendor (ASV) and is therefore can provide external vulnerability scans to meet requirement 11.2. K3DES can also provide internal vulnerability scans; however, under PCI requirements you may choose to do this within your organization using commercial and open source tools.

Application Penetration Testing

K3DES has partnered with NTObjectives to perform application penetration tests. SQL injections are listed as #4 in Visa’s top 5 security vulnerabilities affecting Visa merchants and service providers. In addition to SQL injections, organizations need to test for additional vulnerabilities as identified in the Open Web Application Security Project (OWASP) top ten. Because of these common vulnerabilities, applications have recently become high value targets because they allow an attacker to pass through the firewall, avoid intrusion detection system and access to cardholder data stored in a database. The only solution to prevent these attacks is to test all forms of user input in your existing applications.

PCI Payment Application Data Security Standard (PA-DSS) Assessments

K3DES is a Payment Application Qualified Security Assessor (PA-QSA) and performs compliance assessments for the PA-DSS. PA-DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI Data Security Standard (DSS).

PCI PIN Security Reviews

Visa and MasterCard have adopted the Payment Card Industry (PCI) PIN Security Requirements. Visa and MasterCard require annual assessments by qualified assessors to demonstrate compliance with PCI PIN Security Requirements. K3DES personnel have been approved by Visa and MasterCard to perform PCI PIN Security Reviews.

TG-3 PIN Security Reviews

Star, PULSE, and NYCE, require that ATM and POS acquirers connected to their networks demonstrate compliance with the PIN security requirements contained in TG-3-2006. The compliance review must be performed by a person who is approved by the networks. K3DES has approved personnel ready to perform your TG-3 review.

PCI and TG-3 PIN security consulting and training

K3DES works with eSmart Solutions to provide network endorsed TG-3/TR-39 trainings and CTGA certification.

Fraud Investigations

K3DES performs forensic investigations of ATM and POS fraud to help determine the cause and prevent recurrence. If you experience a suspected or confirmed security breach, you should conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise. To prevent the further loss of data:

  • Contact an incident response and forensics specialist
  • Do not access or alter compromised systems (i.e., don’t log on at all to the machine and change passwords, do not log in as ROOT)
  • Do not turn the compromised machine off. Instead, isolate compromised systems from the network (i.e., unplug cable)
  • Preserve logs and electronic evidence