Monthly Archives: March 2009

PCI Compliance: Frequently Asked Questions

Payment card industry compliance is confusing for many ecommerce merchants. But it potentially affects every merchant that accepts credit cards payments. Failure to understand the PCI compliance standards could result in higher merchant account fees and fines from the credit card issuers.

Merchants oftentimes have similar general questions on PCI compliance. We posed some of them to Tim Erlin, principal product manager for nCircle, a security consulting and compliance firm that offers PCI-related services, among other compliance services. Those questions, and his answers, are below.

What is PCI?

Erlin: “PCI generally refers to the Payment Card Industry Data Security Standard, or the PCI DSS. This standard was developed by the PCI Security Standards Council, which is a consortium of the major credit card brands (Visa, Mastercard, American Express, and Discover). It represents the combination of two previous separate programs: the Visa Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection program (SDP). The goal of the PCI DSS is to specify a common standard for protecting cardholder data from compromise.”

How does PCI compliance affect my ecommerce business?

Erlin: “If you accept credit cards as a form of payment, you are required to be compliant with the PCI DSS. In most cases, smaller merchants can achieve compliance by using compliant shopping carts and payment gateway services. If, however, you choose to collect and store credit card data as part of your business, you’ll need to carefully consider the requirements of the PCI DSS.”

“Larger volume merchants (more than 20,000 credit card transactions annually) will need to complete some specific validation requirements to demonstrate compliance with the PCI DSS. The requirements range from filling out a self-assessment questionnaire to an onsite audit from a qualified auditor. You can find out more details about merchant levels here.”

Where can I learn more about PCI?

Erlin: “The PCI Security Standards Council is the authoritative source for information. You can find their website at You can also look to the card brands themselves for additional information.”

My annual sales are very small. Do I still have to comply with PCI?

Erlin: “Every merchant that accepts credit cards must comply with PCI, but smaller merchants often achieve compliance by using compliant services. If you don’t store, transmit or process any credit card data, then your systems are out of scope for PCI DSS compliance.”

How do I know if my ecommerce business is PCI compliant?

Erlin: “Do you store, transmit or process credit card data? If the answer is yes, then you are required to fill out a self-assessment questionnaire to demonstrate PCI compliance. You may be required to perform other work to demonstrate compliance depending on your merchant level.”

“If you do not store, transmit or process credit card data, but do accept credit cards through a payment gateway or merchant account provider, then you should validate whether your providers are PCI compliant.”

What happens if my business is not PCI compliant?

Erlin: “If your business is not PCI compliant there are various measures that the card brands can take, ranging from warnings and monetary fines to revoking your ability to process transactions entirely. More importantly, the PCI DSS allows you to assure your customers that you’re protecting their credit card data appropriately.”

If my business is PCI compliant, does it reduce my insurance liability?

Erlin: “Generally, no. If you’re not compliant and experience a breach, however, you can be open to legal action from the affected customers.”

Will PCI compliance reduce my business’s merchant account fees?

Erlin: “This isn’t generally the case. In fact, it can increase the cost. Merchant account providers have to demonstrate their own PCI compliance, and they can and have passed that cost onto their customers.”

Where can I find a list of shopping carts and hosts that are PCI compliant?

Erlin: “Unfortunately, there is no single list of compliant shopping carts, hosts or other providers. However, because PCI compliance is a basic requirement for accepting credit card payments, all of the most common hosted shopping carts are PCI compliant. Choose the shopping cart that has the features and functions you need, then validate that their service is PCI compliant.”

via PCI Compliance: Frequently Asked Questions | Practical eCommerce.

HIPAA New Compliance Aggressive Enforcement

Buried within the Economic Stimulus Bill is the Health Information Technology for Economic and Clinical Health HITECH Act. In addition to billions for health information technology, HITECH contains far-reaching changes to privacy and security regulation under the Health Insurance Portability and Accountability Act HIPAA. The Internet is abuzz with analyses of these new provisions. But two aspects of these HIPAA changes bear more emphasis than they are receiving.

The first is new incentives for federal agency enforcement and the assessment of fines. Civil penalties collected in the future by the Office of Civil Rights (OCR) for privacy or security violations will be turned over to the agency to fund even greater enforcement efforts. If history is any guide, then OCR’s current complaint-driven, compliance-oriented approach to enforcement will shift quickly to a more aggressive and punitive strategy. This may be the single most important change wrought by the HITECH Act, and it is effective immediately.

The second aspect is the complex timing of HIPAA’s new requirements. We offer below a schedule for the phase-in of some of the more important new HIPAA obligations.

The Carrot
The HITECH Act provides approximately $31.2 billion for healthcare infrastructure and adoption of electronic health records (EHR). The Congressional Budget Office assumes that the Act will save federal healthcare programs an estimated $12 billion from higher EHR use, resulting in a net cost to the federal government of $19.2 billion.

The money largely flows from Medicare and Medicaid incentives to physicians and hospitals for the “meaningful use” of certified EHRs, including existing systems as well as new installations or upgrades. Non-hospital based physicians could receive up to $44,000 from Medicare or $64,000 from Medicaid, and hospitals with high Medicare and Medicaid volumes could receive up to $11 million. These incentives will be paid out over a 4- to 5-year period beginning in 2011.

The Stick
The HITECH Act expands HIPAA’s coverage, increases compliance obligations, and strengthens enforcement penalties. Descriptions of these changes can be found on listserves, websites, and other sources. But strangely absent, in our opinion, from nearly all these descriptions is subsection 13410(c) of the Act, “Distribution of Certain Civil Monetary Penalties Collected,” which was effective immediately on passage of the Act. The subsection provides:

    [A]ny civil monetary penalty or monetary settlement collected with respect to an offense punishable under this subtitle or [the civil monetary penalty provision of HIPAA] insofar as such section relates to privacy or security shall be transferred to the Office of Civil Rights for [HHS] to be used for purposes of enforcing the provisions of this subtitle and [the HIPAA privacy rules] * * *.

When HIPAA was enacted in 1996, it contained a similar provision dedicating civil penalties collected for fraud and abuse violations to federal agency enforcement efforts. The Fraud and Abuse Control Account was thereby established and the Office of Inspector General and U.S. Department of Justice quickly made fraud and abuse enforcement a top priority. In FY 1996, the Feds collected $205 million in fines and settlements for fraud and abuse violations. In FY 1997, that figure jumped to nearly a $1 billion. If OCR reacts to budgetary incentives in the same manner as OIG, we can expect a significant increase in proactive enforcement activity and the assessment of monetary penalties. Indeed, the HITECH Act will make monetary penalties mandatory in February 2011 if investigation reveals a “willful neglect” of compliance duties.

The Schedule
The general effective date for HITECH HIPAA provisions is February 17, 2010, a 12-month grace period. But exceptions swallow the general rule. The following chart roughs out effective dates for provisions of greatest interest to providers. Bear in mind that this list is not exhaustive and that Congress can change its mind or the Secretary of HHS may act sooner or later than anticipated.

Effective Immediately • Collected civil monetary penalties go to OCR
• Civil monetary penalties are increased substantially
• Civil action by state Attorneys General on behalf of aggrieved persons are authorized; statutory penalties and attorney fees are recoverable
On or Before
September 15, 2009
New security breach notification obligations effective
February 17, 2010 • Business associates are directly subject to HIPAA
• Limited Data Set standard for “minimum necessary,” except as necessary to the purpose of the disclosure
• Marketing communications further restricted
• Business associate agreements required for “courier” entities
• Employees of covered entities may have independent criminal liability
On or After
January 1, 2011
Accounting for treatment, payment, or healthcare operation (TPO) disclosures from EHR systems acquired after January 1, 2009; HHS may extend deadline by two years
On or Before
February 17, 2011
• New prohibitions on disclosure of PHI in exchange for remuneration
• Mandatory civil monetary penalties for violations involving “willful neglect”
On or before
February 17, 2012
Complainants will share in collected civil monetary penalties
On or After
January 1, 2014
Accounting required for TPO disclosures from EHR systems acquired before January 1, 2009; HHS may extend deadline by two years

via HIPAA New Compliance Aggressive Enforcement.

American Recovery & Reinvestment Act Significantly Impacts HIPAA – Mayer Brown – 14/03/2009, Information Security & Risk Management, Information Technology Law, Data Protection, Pharmaceutical, Healthcare & Life Sciences, Healthcare

United States: American Recovery & Reinvestment Act Significantly Impacts HIPAA

14 March 2009

Article by Debra Bogo-Ernst, Rebecca Eisner Jeffrey P. Taft, and A. John P. Mancini

Originally published March 12, 2009

Keywords: American Recovery & Reinvestment Act, ARRA, Health Insurance Portability and Accountability Act, HIPAA, HITECH Act, Covered Entities, Business Associates, direct liability

The American Recovery & Reinvestment Act of 2009 (ARRA), signed into law on February 17, 2009, includes significant changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). More specifically, Title XIII of ARRA, known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, greatly expands the HIPAA obligations of “Covered Entities” and “Business Associates.”

Direct Liability for Business Associates in Certain Circumstances

Previously, Business Associates — persons who perform any function or activity involving the use or disclosure of Protected Health Information on behalf of a Covered Entity — were not directly liable for HIPAA violations. Instead, Business Associates had the potential for contractual liability to Covered Entities through contracts known as Business Associate Agreements. The HITECH Act now imposes direct civil and criminal penalties on Business Associates for certain security and privacy violations under HIPAA.

Under the HITECH Act, the majority of the HIPAA Security Rule now directly applies to Business Associates in the same manner as it applies to Covered Entities. For example, Business Associates will now be required to implement and maintain certain security policies and procedures, appoint a security officer and provide related training.

In addition, the HITECH Act imposes new Privacy Rule-related obligations on Business Associates. More specifically, the HITECH Act provides that Business Associates may use and disclose Protected Health Information only to the extent that such use or disclosure complies with certain requirements in Business Associate Agreements. Effectively, by way of this statutory tie to certain contractual provisions, Business Associates must directly comply with aspects of the Privacy Rule.

The HITECH Act specifically requires that Business Associate Agreements be modified to incorporate the new Security Rule and Privacy Rule requirements.

New Notification Requirements

Covered Entities and Business Associates alike will be subject to new notification requirements. For example, within 60 calendar days of discovering a breach of “unsecured” Protected Health Information (including breaches that should reasonably have been known), Covered Entities must notify:

Individuals with respect to a breach of their information;

“Prominent media outlets serving a State or jurisdiction” if more than 500 residents of such State or jurisdiction are affected; and

The Secretary of the Department of Health and Human Services (Secretary).

The Secretary will post a list of each Covered Entity involved in a breach of “unsecured” Protected Health Information concerning more than 500 individuals on the Department of Health and Human Services’ web site.

Enforcement Expanded to State Attorneys General

The HITECH Act empowers state attorneys general to bring civil actions in federal court if they have “reason to believe” that “one or more of the residents of that State has been or is threatened or adversely affected” by a violator for injunctive relief or statutory damages as well as attorneys’ fees. Previously, the Secretary had the sole right to enforce HIPAA through her delegations to the Centers for Medicare & Medicaid Services (Security) and the Office of Civil Rights (Privacy).

Increased Penalties and Compensation for Harmed Individuals

The new legislation significantly increases the existing civil monetary penalties for each violation. Civil penalties now generally range from $100 to $50,000 per violation, with caps of $25,000 to $1.5 million for all violations of a single requirement in a calendar year. The severity of the penalties is based upon the violator’s knowledge: from no knowledge (and by exercising reasonable diligence would not have known) of violation, to reasonable cause for the violation, to willful neglect. The Secretary is required to impose penalties for “willful neglect” violations. Within three years of the HITECH Act, the Secretary must establish, via regulation, a methodology for providing a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense to any harmed individual.

Effective Date

The effective dates for the HITECH Act changes to HIPAA vary. For example, the increased penalty provisions are effective immediately. In contrast, other provisions will be effective within a year of the legislation (i.e., February 2010) or after related regulations are published.

There are many other provisions of the HITECH Act that will affect the HIPAA obligations of Covered Entities and/or Business Associates

via United States, IT & Telecoms, American Recovery & Reinvestment Act Significantly Impacts HIPAA – Mayer Brown – 14/03/2009, Information Security & Risk Management, Information Technology Law, Data Protection, Pharmaceutical, Healthcare & Life Sciences, Healthcare.

Law requires health data breach notifications — Federal Computer Week

The recently enacted economic stimulus law includes new requirements for how companies must notify people of breaches to their protected health information. Some experts say the rules could lead to federal breach notification requirements for other types of data.

Health data experts are still studying provisions in the $787 billion spending law that will expand what health care-related businesses are required to do when they discover unsecured, protected medical data has been breached.

The law gave the Health and Human Services Department 60 days to issue guidance on the types of technologies and methodologies that should be used to make protected health information secure — unusable, unreadable or indecipherable to unauthorized people.

Under the new law if a health care provider, health plan administrator or health care clearing house covered under the Health Insurance Portability and Accountability Act (HIPAA) has a breach to the personal medical data it holds which is not secured in the way HHS recommends, that organization will have to notify within 60 days each person whose data is believed to have been compromised. Companies that work with those entities that handle the medical data will also have to notify the company they work for if a breach is believed to have occurred on their watch.

“It is a big change in terms of the scope of the laws…and it now establishes a federal standard so regardless of what state you do business in, if you do business in the health industry, you are likely to be subject to these breach requirements,” said Kathryn Roe, an attorney focused on health care with the firm Neal, Gerber and Eisenberg in Chicago.

Federal lawmakers have made several recent attempts to pass national data notification requirements for data breaches of all kinds, but thus far those efforts have stalled and states have promulgated their own requirements. Without a national rule for data breach notifications, more than 40 states have developed their own data breach notification requirements.

Lisa Sotto, head of the privacy and information management practice at law firm of Hunton and Williams and an expert on privacy and data security, said the current situation is complex because data breaches rarely affect residents of just one state and laws often differ.

“I think what could happen here is this could set the bar and become the standard of data compromises of other types of sensitive personal data,” Sotto said.

The new law, only applicable to protected medical data, requires that individuals affected by the breach are notified in writing and that local news media are alerted of the breach in cases where more than 500 people are believed to have been affected. The provisions also require the companies to notify HHS of any breach and to do so immediately if it involved 500 people or more. HHS will post on its Web site a list of the HIPAA-covered entities involved in the breach if the problem reaches the threshold of 500 people having been involved.

Pam Dixon, executive director of the public research group World Privacy Form, said the law was also significant because it includes requirements for organizations not covered under HIPAA. She added that the law was an acknowledgment that certain kinds of data need more protection.

Regardless of how they are made, breach notifications, to the extent possible, will have to include:

* A description of what happened, including when the breach occurred and when it was discovered.

* A description of the types of unsecured protected health information that was breached.

* The steps individuals should take to protect themselves against potential harm from the breach.

* A description of what the covered entity involved is doing to investigate the breach, mitigate losses and prevent future breaches.

HHS also was given one year to submit to Congress what will be the first of an annual report on medical data breaches that have occurred and what was done in response to them. The department also was given 180 days to disseminate interim final regulations to enact the law’s requirements.

via Law requires health data breach notifications — Federal Computer Week.

PCI Council gives helping hand to merchants

PCI Council gives helping hand to merchants

Prioritized Approach framework to help attain PCI DSS compliance

Ian Williams, 04 Mar 2009

The Payment Card Industry Security Standards Council (PCI SSC) has released a new resource designed to help merchants struggling to attain compliance with the PCI Data Security Standard.

The global payment industry body launched the Prioritized Approach framework to help merchants that are not yet fully compliant. It will identify highest risk targets, create a common language around PCI DSS implementation efforts, and demonstrate progress on the compliance process to key stakeholders.

The framework is made up of six ‘security milestones’ aimed at laying out a series of best practices for protecting against the highest risk factors and escalating threats facing cardholder data security. The milestones are as follows:

1. If you don’t need it, don’t store it

2. Secure the perimeter

3. Secure applications

4. Monitor and control access to your systems

5. Protect stored cardholder data

6. Finalise remaining compliance efforts, and ensure all controls are in place

“Securing cardholder data is the ultimate priority, and following the PCI DSS is the best way to achieve this,” said Bob Russo, general manager of the PCI Security Standards Council.

“The Prioritized Approach framework will help stakeholders understand where they can act to reduce risk earlier in their journey towards PCI DSS compliance.

“The launch of these new guidance and interactive documents are another step by the Council to increase understanding of and education around PCI DSS among merchants, providing them with insight into how they can protect card holder data faster and demonstrate progress and compliance with the PCI DSS.”

According to the PCI SSC, the framework was based on actual data compromises, as well as feedback from assessors and forensic investigators, and input from the PCI SSC Board of Advisors.

The Prioritized Approach framework is available on the Council’s web site. It includes a reference document and downloadable worksheet that allows merchants to sort specific PCI DSS requirements by the individual milestones.


via PCI Council gives helping hand to merchants.

Identity Theft – PCI Chiefs Defend Standards, Plans – eWeek Security Watch

It’s a gross oversimplification of an utterly staggering technical and social challenge, and he knows it as well as anyone, but it’s hard to argue with PCI Security Standards Council General Manager Bob Russo’s assertion that when it comes to improving electronic data security and related matters of individual privacy, “something is much better than nothing.”

Since the massive, potentially record-breaking security breach at Heartland Data Systems in late January, the Payment Card Industry Security Standards Council and its DSS Data Security Standard have been put under a microscope and criticized for foisting on companies an impractical IT security mandate that detractors say does not actually meet its goal of making it harder for companies that handle credit and debit card data to be fleeced similarly to Heartland.

Some highly respected security researchers and practitioners have come out since the Heartland robbery and questioned the viability of the entire DSS effort, perceived as being out of touch with real-world IT environments and insufficient to help organizations avoid exploitation. A handful have gone as far as saying it actually makes the process even harder.

And after all, here’s a Tier 1 company that’s likely had to push to abide by the technological and process-oriented stipulations required under the PCI Standard as much and as long as any other, and it just got positively hammered.

However, visiting Boston on a media tour organized to share some new elements of the PCI Council’s larger plans the week of Feb. 23, Russo and new PCI Security Standards Council Chairman Lib de Veyra — an executive at and appointee of JCB International Credit Card — made a lot of credible points. Mostly, because they firmly recognized the reality that no standard is perfect and that DSS as it exists is only a first step in a long evolutionary process.

Not to be misinterpreted, the PCI Council is satisfied with what it’s put in place thus far, given the challenge at hand, Russo and de Veyra said.

The parts of DSS that need to be tweaked to address the vast diversity of infrastructure and applications employed by all the retailers, merchants and processors, as well as all the techniques utilized by attackers, will be addressed by taking feedback directly from the very companies that must comply with the standard, the PCI Council representatives said. And truthfully that has been at the very least a consistent message of the organization all along.

A number of powerful banking, retail, technology and government players are also involved in the PCI Advisory Board.

And the Heartland incident, as well as those reported at other companies that have been at some time certified as PCI compliant, including TJX Companies and Hannaford Brothers, in no way proves that the standard is clearly lacking in some specific area, they said.

The PCI leaders said in addition to having not yet shared specific details with the Council of exactly how they were individually victimized by fraudsters, the fact that these companies were at one time judged to be in conformity with DSS in no way guarantees that they were at the time they were attacked.

“Just because a company gets a clean bill of health today doesn’t mean they can’t be infected tomorrow,” de Veyra said. “Organizations are making configuration changes and broadening adoption of technologies like wireless all the time; the guidelines in DSS are something that you have to continue to monitor and maintain all the time.”

And many of the Council’s initiatives, including plans to launch two new standards aimed at improving embedded security features, or “host security modules,” built into card data transaction processing hardware, and regulations for UPTs (unattended payment terminals) such as gas pumps and ticketing kiosks, will help push the entire industrywide process forward, they said.

The PCI Security Standards Council will also continue to push DSS overseas, in Europe and APAC specifically, where the guideline has faced some resistance from card handlers. But the effort launched by the world’s largest card companies — American Express, Discover, JCB, MasterCard and VISA – remains undaunted in its pursuit, PCI’s chief spokespeople said.

“Addressing the criticism comes down to communication; once we have enough information from companies like Heartland to truly examine what happened, we can understand how it relates to DSS,” de Veyra said. “And working with all the companies on our Advisory Board, meeting with them and incorporating their feedback over time, will be the most important aspect of maturing the standards.”

Another new element of DSS will be a technological tool, a sort of stripped-down PCI diagnostic application provided by the Council to offer organizations still getting started with the standard a more “prioritized approach to DSS.”

The Prioritized Approach tool will help companies track their ability to meet basic milestones of achieving compliance with DSS, the representatives said. The first three steps — preventing the improper storage of electronic data, securing the network perimeter and securing applications — have obviously been proven hard to accomplish for many organizations, and some might argue most or even all.

But most importantly, the idea is to promote gradual coalescence of a world where every company affected by the PCI mandate has at least greatly augmented and formalized its approach to, if not its execution of, securing electronic data, the leaders said.

“No standard is ever going to completely stop what we’re seeing right now with cyber-crime, but the reaction we’ve seen to PCI after some of these incidents like Heartland has been absolutely unfair, because we don’t even know if they were compliant,” Russo said.

In terms of whether incidents like the breaches at Heartland, TJX and Hannaford Brothers have damaged public perceptions of DSS, the industry veteran said, as in any case, there is no shortage of opinions.

“You can sit there and look at it from one side and say, you have this standard but these incidents have still happened, and that proves something isn’t working,” Russo said. “But what you don’t know at the same time is, If we didn’t have DSS as it stands in place, how many more of these incidents might we have had?”

I’m sure that there are valid criticisms of various aspects of PCI — some very smart people have spent time voicing their questions already.

But, I’m curious to know whether they’d agree at the end of the day that something is better than nothing.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to

via Identity Theft – PCI Chiefs Defend Standards, Plans – eWeek Security Watch.