
What Is the PCI of Bank Payments? - mattmarcus
https://www.moderntreasury.com/journal/what-is-the-pci-of-bank-payments
======
korethr
This article recommends using SOC2 compliant vendors. I wouldn't put faith an
a SOC2 certificate. A vendor who's infrastructure consists of almost entirely
of hardware and software that's been EoL for years (and wasn't up-to-date
before support expired) can pass SOC2, so long as they show that their
firewall does NAT for security.

Okay, I'm being somewhat hyperbolic, NAT for security is not the only box a
company has to tick to get a SOC2 cert. But I'm being less hyperbolic about
long-EoL kit passing SOC2 audits. IMO, a vendor running unsupport(-ed|-able)
kit should be an immediate disqualifier.

~~~
NoPicklez
As someone who has performed SOC2 compliance reviews, these are not small
tasks. I've performed them on companies that manage core banking systems for
other banks and credit unions.

Currently, across quite a lot of critical infrastructure there are legacy
systems which are EoL. However, there are aspects or layers to the software
which are not, or are protected by higher layers of security.

If your vendors ENTIRE environment is almost EoL software and hardware then
yes that is highly concerning and would make it very difficult for them to
demonstrate appropriate security controls. However, the reality is that most
of the environments I have assessed have only a small portion of their
software/hardware environment that is EoL. That is often protected by
significant layers of security above that.

~~~
JustARandomGuy
Out of curiosity, when you're doing a SOC2 compliance review, are your relying
on their documentation of security measures, or would you check to see that
the documentation matches the security measures that are in place?

~~~
NoPicklez
Documentation of security controls means very little, yes having a framework
with a suite of policies and procedures is important. But a proper SOC 2
review is all about actually seeing it in place.

We do a deep dive, where we understand all of the security controls, we then
test the design of these security controls through reviewing security
configurations within the systems themselves. Then testing the effectiveness
of these controls.

So yes, we review documentation and then perform an independent review of the
security measures/controls in place. For instance, understanding how batch
processes are configured, then testing that the appropriate security controls
in relation to batch processes operated effectively.

------
the8472
_> The security risk to bank account details is regionally specific. In
Europe, IBAN and BIC numbers are readily given out. One reason why is that
they are only used in the credit direction._

That's not true, IBANs can be used for direct debit between supporting banks.
That's most commonly used for repeat invoices but some shops also support it
as payment option for one-time purchases, although instant payments are taking
over the latter use-case.

~~~
mehrdadn
Do IBANs allow debit without reliable authorization? In the US having a bank
account number (and I suppose maybe a name/street address for more
plausibility) is enough to print a check and then withdraw money from it. Do
IBANs let a random person do that, or do they need verification from the
account?

~~~
seaghost
They do, but direct debit is only allowed to “large” companies that move a lot
of money in my experience. Usually you have to consent to allow direct debit,
sometimes in the paper form, sometimes just by entering your account number.
My startup tried to add direct debit via Stripe but our bank didn’t allows us
to do because we don’t move a lot of money through our banks accounts also
we’re not known. I think a lot of financial things in Europe are based on
trust.

~~~
dogma1138
Are you sure you aren’t confusing a bank transfer with direct debit? DD in the
US requires PAD/PAP between the debtor and the collector and is cleared
through ACH regardless of the size of the account or the sum.

~~~
formerly_proven
No, what GP is saying absolutely is a thing, but not terribly common. Bosch PT
Service is one of not that many companies that use it. You only give them your
IBAN and check a box basically saying you authorize them to debit the money
from your account.

~~~
dogma1138
That’s how Direct Debit works all over the world, that tick is the PAD/PAP
contract being signed you basically pre-approve debit requests with it.

------
waihtis
Quarterly vuln scans don’t really make the cut in the modern world. Take
CVE-2020-1350 (MS DNS vuln) as an example - it took about 48 hrs from
publicizing the vuln to a working exploit to appear on Github.

If you scan per quarter, and it takes you n days or weeks (or months) to fix
the critical stuff, it’s quite a window of exposure - per each vuln. Any
midsize org will carry hundreds or thousands. Enterprises much more.

~~~
rsync
Obligatory:

[https://www.rsync.net/resources/regulatory/pci.html](https://www.rsync.net/resources/regulatory/pci.html)

~~~
acomjean
PCI compliance helps a little.

When I was doing IOT power/temperature monitoring sometimes companies wanted
us to show PCI compliance before attaching our hardware to their networks. (we
weren't) which meant we had to explain to them to put us on a separate
network, without credit card processing devices.

~~~
krallja
PCI compliance is extremely easy if you don’t handle PANs. Provide a SAQ that
says “we don’t handle PANs” and you’re compliant.

~~~
czbond
Caveat if you are small business. Otherwise, with lots of charges it costs
about $100k+ annually in validation, not including labor effort. A startup can
hit this quickly, but only under certain circumstances.

~~~
mahmoudimus
If you're a startup and you need PCI DSS compliance, please contact me -
mahmoud [@] verygoodsecurity.com and I'd love to help!

------
Fiveplus
The point about subjecting your external vendor to the technical audit of
their security services as well is a good one.

------
bob1029
Audits and compliance only take you so far. If your actual motivations are to
truly improve security, perhaps offering code samples, libraries and reference
architectures would be more helpful. Throwing compliance requirements at a
technical team is an excellent way to distract them away from a truly secure
architecture.

That said, there are a lot of actors out there who need babysitting and
absolutely should not be allowed to participate in payment networks without
some sort of initial & ongoing due diligence.

This whole thing is a delicate balancing act, but in my experience dealing
with PCI-DSS, its currently an extremely heavy-handed approach. I cannot help
but wonder if the primary intent of this sort of standard isn't to just keep
competitors out.

------
Animats
Ad for Modern Treasury.

------
coachtrotz
The NACHA response is missing the forest for the trees. Securing the account
data is great, but it's only a small piece of the puzzle.

It doesn't: a) penalize ACH Originators responsible for submitting the
fraudulent entry (beyond the recently implemented $4.50 charge) b) do anything
to promote alternative account numbers for EFTs, which in theory could be
better protected as they won't be on paper checks c) promote better validation
tools to prevent the likes of Plaid and entities using their APIs from
harvesting broad amounts of private consumer financial data

------
miohtama
How about two-factor authentication as a baseline recommendation for online
ACH? Even the infamously recently discussed SMS authentication.

~~~
wiredfool
ACH is a ca 24 hour duration batch process that does not include
authentication. 2fa isn’t even really a possibility with the ACH system.

