In the payment card industry, the security of IT systems is crucial. As sensitive data is processed in them, they must meet the requirements specified in the standards dedicated to them. The required level of security is guaranteed by regular penetration tests conducted to ensure the compliance with PCI Card Production standards.

Offering comprehensive services in the field of card production and delivery as well as their personalization, TAG Systems has access to particularly sensitive data, such as: personal data, payment card numbers and authorization data in the form of PIN codes. This makes it necessary to ensure a high level of security. The primary method of its verification is the regular performance of penetration tests. This requirement is defined in section 5.8 of the PCI Card Production standardLogical Security Requirements. It requires internal and external penetration tests to be carried out at least once a year and after any major change in the infrastructure.
The tests must cover all the components of the personalization network, including the operating systems. Additionally, the application layer should be checked for the following vulnerabilities:

  • data injection (e.g. SQL injection),
  • buffer overflow,
  • inadequate cryptographic protection,
  • incorrect handling of errors.

PCI Card Production

All companies and systems involved in the production, personalization and distribution of credit cards, including the processing and sending of authentication information (e.g. PIN codes), are required to comply with the guidelines described in the PCI Card Production standard. The standard is divided into sections regarding the security at the physical level  (Physical Security Requirements) and logical level (Logical Security Requirements). Compliance with the requirements described in the above documents is a prerequisite for obtaining PCI certification.

The role of BCC

The optimal method of system security verification has turned out to be ethical hacking proposed by BCC (now All for One Poland) – a service consisting in detailed, methodical testing of networks and systems for errors and vulnerabilities. In practice, it is a simulation of a real attack on the infrastructure, carried out from the Internet or from an internal network by a disloyal employee. Thanks to the high competence of BCC consultants and the use of specialist tools, this practical attempt to break the system security allowed for a comprehensive verification of the level of security of TAG Systems infrastructure.

Testing

The penetration tests were carried out according to the following methodologies:

  • National Institute of Standards and Technology Special Publication (NIST SP 800-115)
  • Offensive Security
  • OWASP TOP 10 ( Open Web Application Security Project)

BCC consultants have been gaining knowledge in the field of security for years and have obtained certificates recognized in the IT environment. The combination of their knowledge and experience along with specialized software and the application of internationally recognized professional methodologies for conducting penetration tests guarantees the verification of security at a high level.

Three stages of testing

At the first stage, a remote penetration test of the contact point of the tested environment with the Internet was carried out. The work was carried out in a black box scenario without any knowledge of the system.

The work began with the identification and enumeration stage. Then the systems were scanned using vulnerability scanners. Each of the vulnerabilities found was verified in the next step so as to reject false-positive results. Where an exploit was available for a given vulnerability, an attempt was made to use it to attack the tested infrastructure.

At the second stage, the security level of the HSA (High Security Area) internal network was locally verified.  At this stage, a network plan and information on the addresses and roles of critical systems were made available to the consultant. In this scenario, the separation between individual VLANs of the internal network was additionally verified.

At the third stage, the security level of applications and databases used in the process of payment card personalization was tested. Applications containing the user interface were subjected to additional tests to examine the possibility of obtaining direct access to the data processed. The level of safeguards applied to protect the data processed was also verified.

During the tests, the consultant was in constant contact with administrators and reported critical vulnerabilities found in the tested systems on an ongoing basis.

Summary

The tests were summed up in a comprehensive report documenting the course of work and containing information on found vulnerabilities together with recommendations for their removal. It also contained information allowing the configuration of tested devices and systems to be hardened. The appendices included reports with the results of operation of the specialized software – vulnerability scanners.

Security of systems above all
In our industry, penetration testing is an indispensable practice. Our systems must be secure, which is why we regularly conduct security tests. By simulating a hacker attack, BCC (now All for one Poland) comprehensively checked our company’s security and provided us with a final report that helped us better secure our systems.

Jacek Nowacki, Managing Director, Tag Systems

Pentests at BCC
BCC provides services related to IT security in its broad sense, including penetration tests. Our team of certified security consultants is able to take the role of a group of hackers (pentesters) and check the security of a company by performing pentests according to the scope and scenario agreed with a customer. We also carry out configuration audits regarding security settings, hardening, good practices and other guidelines and methodologies.
We work according to our own methodology of carrying out penetration tests and audits of the security configuration based on:
– experience of BCC and several dozen projects in the field of IT security,
– techniques prepared by reputable organizations dealing with the security of IT systems (including OSSTMM, EC-Council, OWASP, COBIT).

 

TAG Systems offers comprehensive services in card production and delivery, card personalization (including additional services) and preparation of dedicated microprocessor-based applications (e.g. identification and loyalty applications, electronic tickets, and PKI). The card production company is equipped with the latest card production devices operating in a very secure environment. The annual production capacity exceeds 80 million cards. The cards are produced in Andorra and personalization offices are located in Spain, Colombia and Poland. TAG Systems also has offices in Russia and Norway