Session 11
Other Assurance Services
• Sys Trust
• Payment Card Industry security standard
compliance
EECS4482 2016
David Chan
1
SysTrust
• A system assurance service developed by
American Institute of Certified Public
Accountants (AICPA) and Chartered
Professional Accountants Canada (CPA
Canada).
• Audits have been on new systems in an
organization or systems shared by a number
of partner organizations
• High control assurance
EECS4482 2016
David Chan
2
SysTrust Principles
• The Availability Principle addresses
accessibility to the defined system, products,
or services as advertised or committed by
contract, service-level, or other agreements.
• The Security Principle requires an entity to
meet high standards for the protection of the
system components from unauthorized
access, both logical and physical.
EECS4482 2016
David Chan
3
Main Trust Principles
• Processing Integrity Principle requires
an entity to meet high standards for the
completeness, accuracy, timeliness,
and authorization of system processing
including the processing of electronic
commerce transactions.
All three principles must be satisfied.
EECS4482 2016
David Chan
4
Optional Trust Principles
• Confidentiality – no unauthorized viewing
• Privacy – confidentiality of personal info
EECS4482 2016
David Chan
5
Sys Trust Audit
• The auditor has to be licensed by AICPA or
CPA Canada specifically for SysTrust
engagements.
• The outcome of the audit consists of a
report and an unqualified opinion on the
internal controls to support the system.
• High control assurance.
EECS4482 2016
David Chan
6
Control Criteria
• Operating organization of the system selects
criteria (objectives) from the list provided by CPA
Canada or AICPA to satisfy each main principle
and each selected optional principle. Unless a
criterion does not apply to the environment, it
must be selected. There is no wording change to
criteria.
• Each control criterion is supported by control
activities (procedures), which can be manual or
automated, developed
by
management.
EECS4482 2016
David Chan
7
Difference Between SysTrust and
CSAE 3416
• Each stated criterion in the report must be met by
controls in order to get an unqualified SysTrust
report.
• CSAE 3416 report has restricted distribution.
• Sys Trust addresses system reliability, whereas
CSAE 3416 addresses financial statement
assertions.
• CSAE 3416 is more flexible, as it uses control
objectives instead of principles prescribed by CPA
Canada and AICPA.
EECS4482 2016
David Chan
8
SysTrust Users
• Hosting organization
• User organizations
• Trading partners, e.g., automated vendor
inventory replenishment
EECS4482 2016
David Chan
9
SysTrust Report
• An opinion on management’s asserted controls.
• Opinion does not cover system description,
although system description is often included in
the report. But if the auditor knows that system
description is misleading, s/he should not issue an
opinion on the controls.
• Opinion covers the reporting period of not more
than one year.
EECS4482 2016
David Chan
10
Drivers for SysTrust Audit
• The potential conflict of interest between the
system operator and system user or owner.
• The complexity of systems, requiring expertise to
conduct an audit that would provide a reasonable
degree of assurance about their conformity with
system reliability principles and criteria.
EECS4482 2016
David Chan
11
Drivers for SysTrust Audit
• The remoteness of users from systems requiring
an independent objective representative to observe
the system on their behalf.
• The consequences of system unreliability.
• The four conditions above may contribute
individually to the need for assurance services
related to the reliability of an entity’s key
information system(s) and they may also interact
to increase the need for such assurance.
EECS4482 2016
David Chan
12
Process of a Sys Trust Audit
• System hosting organization decides to pursue a
Sys Trust audit.
• System hosting organization hires an accounting
firm.
• System hosting organization selects optional
principles as well as criteria for the mandatory and
optional principles.
• Management develops control activities for each
criterion.
EECS4482 2016
David Chan
13
Process of a Sys Trust Audit
• Accounting firm assesses the adequacy of
control criteria and procedures.
• Accounting firm conducts testing.
• Accounting firm provides report to system
hosting organization.
• System hosting organization shares report
with user organizations.
EECS4482 2016
David Chan
14
Options to Address Control
Deficiency
• Fix the control if there is still time.
• Replace the control with another existing
control.
• Remove an optional principle.
• Cancel the engagement.
EECS4482 2016
David Chan
15
Payment Card Industry (PCI)
Security Standard
• Developed by the PCI Security Council formed by
major card issuers: Visa, MasterCard, American
Express, Diners Club, JCB International and
Discover Card.
• All issuing financial institutions and merchants
that take credit card transactions on the Internet
have to comply.
• Failure to comply may lead to financial penalty.
EECS4482 2016
Chan David Chan
16
PCI Security Standard
• Visa and MasterCard require major
merchants and IT service organizations
(over 1 million transactions annually or
over 20,000 eTransactions annually) to have
an annual external validation for
compliance.
EECS4482 2016
David Chan
17
PCI Standards
1.Install and maintain a firewall configuration
to protect cardholder data.
2. Do not use vendor supplied defaults for
system passwords and other security
parameters.
3. Protect stored cardholder data, including
encryption.
4. Encrypt transmission of cardholder data
across the Internet
EECS4482 2016
David Chan
18
PCI Standards
5. Use regularly updated anti-virus software
6. Develop and maintain secure systems and
applications
7. Restrict access to cardholder data by
business on a need-to-know basis
8. Assign a unique ID to each person with
computer access
EECS4482 2016
David Chan
19
PCI Security Standard
9. Restrict physical access to cardholder data
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and
processes
12. Maintain a policy that addresses
information security
EECS4482 2016
David Chan
20
PIN
• Not stored in banks.
• A value computed from the PIN, card
number, card unique mathematical key and
expiry date is stored in the bank.
• Thus, the actual PIN is not visible to bank
employees.
• Choose PINs that are easy for you to
remember but difficult for others to guess.
David Chan - Nov 2016
21
Payment Card Encryption
• Businesses and financial institutions are
required by MasterCard, Visa and American
Express to “not store” card numbers in plain
text. Credit card number leakage can be
catastrophic, e.g., Target hack in 2014.
• Shred your credit card and bank statements,
better to opt for eStatements.
David Chan - Nov 2016
22
Payment Card Data Storage (PCI
Council)
David Chan - Nov 2016
23
Payment Card Encryption
1. The PIN, card number and expiry date are hashed together and stored on the card
chip. This is in addition to the plaintext storage of the card number and expiry date on
the card strip. The latter is required in order to support point of sales terminal that
does not accommodate chip technology and also as a backup in case the chip is
somehow more readable (e.g., damaged by wear and tear)
2. The card issuing financial institution encrypts the card number and expiry date
using a card specific key and then subtracts the newly created or changed PIN from
the last 4 digits of the encrypted value, and stores the difference, called a PIN offset.
The PIN is not stored anywhere.
3. A PIN is verified by the financial institution using the above calculation and
comparing the calculated PIN offset with the stored PIN offset.
4. A hash of the card specific key is stored in the chip, which is used by the card issuing
financial institution to authenticate the card before verifying the PIN.
5. For offline terminal, the terminal computes the same hash as that stored in the card in
step 1 and compares to the hash value read from the card.
6. The card number and expiry date are encrypted using the card issuing financial
institution’s public key and then stored in the chip. When a card is used online, the
encrypted card number and expiry date are transmitted.
David Chan - Nov 2016
24
Payment Card Encryption
7.Card numbers and PINs sent by a financial institution which did not issue the cards,
to the issuing financial institutions are encrypted using a symmetric key shared
between the two financial institutions.
8. The card downloads the terminal’s digital certificate and verifies it using the issuer’s
(e.g., Visa’s) public key. Each point of sale terminal has a digital certificate specific
to the brand of card acceptable (e.g., Visa).
9. The card downloads the terminal specific Triple DES or AES 112-bit key encrypted
with the terminal’s private key, which the card decrypts with the terminal’s public key.
10. For offline transactions, the card encrypts the PIN, card number and transaction data
using the terminal symmetric key for transmission to the terminal.
11. For online transactions, the point-of-sale terminal downloads the card issuing
financial institution’s digital certificate signed by the issuer (e.g., Visa).
12. For online transactions with a terminal, the card encrypts the terminal ID, card number and transaction data using
the issuing financial institution’s public key and sends it to the financial institution.
13. The financial institution sends the approval or “decline” message to the card.
14. The card then shares the message with the terminal.
15. The card then reencrypts the result of the transaction, i.e., approved or declined,
along with the transaction amount, terminal ID, using the terminal public key
and stores the encrypted data package called a transaction certificate, in the card.
David Chan - Nov 2016
25
Payment Card Encryption
16. The uploading of offline point of sale transactions to the merchant’s financial
institution is encrypted using a terminal specific symmetric key which has been sent
to the financial institution encrypted with the institution’s public key.
17. The settlement of the transaction between the card issuing financial institution, the
credit card ultimate issuer (e.g., Visa) and the merchant’s financial institution is
encrypted using unique symmetric keys between each pair of organizations.
18. For ATM transactions, the ATM generates a one time symmetric key and encrypts it
using the financial institution’s public key and sends it to the financial institution.
19. Data transmission for ATM transactions is encrypted with the one time symmetric key.
20. Data transmission between the ATM financial institution and the card issuing
financial institution is encrypted using a shared symmetric key between the two institutions.
21. For eBanking transactions, SSL encryption is used just like eBusiness.
22. The 3 or 4 digit card verification value (CVV) on the back of a credit card is not
stored anywhere. It is derived by encrypting the card number and expiry date using
a key specific to each card kept by the issuing financial institution.
23. The completed transactions should be sent by the point of sale terminal to the
company’s data center encrypted using the data center’s public key.
David Chan - Nov 2016
26
Conclusion
• SysTrust engagements are increasing
because of increasing use of externally
hosted systems.
• PCI is gaining prominence because the PCI
Council (credit card companies) are now
starting to enforce this standard.
EECS4482 2016
David Chan
27
Review Questions
1. Map the SysTrust principles to the control
matrix we discussed in Chapter Six.
2. What are the management options to avoid
a qualified SysTrust audit opinion when a
control deficiency is identified by the
auditor?
3. What parties can benefit from a SysTrust
audit report?
EECS4482 2016
David Chan
28
Review Questions
4.What kinds of organizations are held to
comply with the Payment Card Industry
Security Standard?
5. What kinds of organizations are required to
provide an annual external validation of
compliance with the PCI Security
Standard?
EECS4482 2016
David Chan
29
Review Questions
6.According to the PCI Security Standard,
what kind of access has to be monitored?
7. How does the PCI Security Standard affect
the financial statement audits of large retail
merchants?
8. How does the PCI Security Standard affect
the profit of large retail merchants?
EECS4482 2016
David Chan
30
MC Question
Which of the following is an optional
SysTrust principle?
• A. Confidentiality
• B. Security
• C. Processing integrity
• D. Availability
EECS4482 2016
David Chan
31
MC Question
Who is the primary audience of a SysTrust
report?
• A. Service organization management
• B. Shareholders’ auditors of service
organization
• C. User organization(s) management
• D. Shareholders’ auditors of user
organization(s)
EECS4482 2016
David Chan
32
MC Question
Who is responsible for developing control
procedures in a SysTrust audit?
• A. External auditors
• B. Service organization management
• C. Internal auditors
• D. User organization management
EECS4482 2016
David Chan
33
MC Question
Which SysTrust principle addresses
application controls?
• A. Security
• B. Confidentiality
• C. Processing integrity
• D. Availability
EECS4482 2016
David Chan
34
MC Question
What kind of access to cardholder data must
be monitored by a bank?
•
A. All
•
B. Update
•
C. External
•
D. Create
EECS4482 2016
David Chan
35