Monthly Archives: December 2009

Are PCI Standards Helpful? Take the Survey and Tell Us Your Views | Practical eCommerce

Are PCI Standards Helpful? Take the Survey and Tell Us Your Views

Completion of the survey will take only a couple of minutes and by doing so you’ll automatically register for a $25 Amazon gift certificate.

via Are PCI Standards Helpful? Take the Survey and Tell Us Your Views | Practical eCommerce.

Restaurant Owners File Lawsuit Over Credit Card Billing Safety Problems – AboutLawsuits.com

Several restaurant owners in Louisiana and Mississippi are suing two companies that provided them with point-of-sale POS computer systems for credit card billing, saying that the systems were unsecure and allowed hackers to steal thousands of customers’ credit card information.

via Restaurant Owners File Lawsuit Over Credit Card Billing Safety Problems – AboutLawsuits.com.

PCI Security Standards Council Launches Global Website with New Resources in Eight Languages | SYS-CON INDIA

Today, the PCI Security Standards Council (PCI SSC), a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) Security Requirements and the Payment Application Data Security Standard (PA-DSS), announced the launch of a new PCI SSC micro site, providing resources to secure payment card data in eight languages.

via PCI Security Standards Council Launches Global Website with New Resources in Eight Languages | SYS-CON INDIA.

Heartland pays Amex $3.6 million over 2008 data breach – Network World

Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network.

This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.

via Heartland pays Amex $3.6 million over 2008 data breach – Network World.

SEC Approves Enhanced Disclosure About Risk, Compensation and Corporate Governance

In particular, the new rules require disclosures in proxy and information statements about:

* The relationship of a company’s compensation policies and practices to risk management.

via Press Release: SEC Approves Enhanced Disclosure About Risk, Compensation and Corporate Governance; 2009-268; Dec. 16, 2009.

MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline

The first MasterCard change made this month was pushing the Dec. 31, 2010, deadline back six months, to June 30, 2011. But MasterCard has also made two other key PCI changes. It has redefined what Level a retailer is (Level 1, 2, 3 or 4) to explicitly mirror whatever level Visa has determined. (The language used to say “competing brand.”) The last of the changes is to allow Level 1 and Level 2 retailers to perform their own assessments—using the retailer’s own salaried audit staff—as long as those audit staffers have passed PCI-approved training courses.

via StorefrontBacktalk » Blog Archive » MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline.

Why Are You More Afraid Of A QSA Than A Cyberthief?

Let me give some real-life examples of what I mean.

* A merchant shows its QSA its Web application firewall (WAF) and asks the QSA to mark it compliant with PCI Requirement 6.6. But the QSA probes deeper, and he finds that the WAF is in “learning” mode, which means it is letting everything through. Indeed, the WAF has been in learning mode since it was installed after the last assessment a year ago, meaning it is pretty useless from a security point of view and definitely not meeting the intent of the requirement.

* You developed a set of security policies as part of your last assessment. Your QSA comes around the next year and asks to see them, but no one can even find a copy to give her. Clearly the policies–designed to protect you and your assets–haven’t been implemented—or maybe even read.

* You install an extensive and expensive logging system, but you only monitor and evaluate event reports when the QSA is on site.

via StorefrontBacktalk » Blog Archive » Why Are You More Afraid Of A QSA Than A Cyberthief?.

When It Comes To #PCI Compliance, Franchisors Are Screwed

When it comes to franchise-based retailers, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.

via StorefrontBacktalk » Blog Archive » When It Comes To PCI Compliance, Franchisors Are Screwed.

NIST Updates Automated Computer Security Validation Guidelines

The National Institute of Standards and Technology (NIST) has issued a draft publication for public comment that describes changes to the Security Content Automation Protocol (SCAP). SCAP is a suite of specifications that use the eXtensible Markup Language (XML) to standardize how software products exchange information about software flaws and security configurations.

via NIST Updates Automated Computer Security Validation Guidelines.