PCI is further redefining what a hardware terminal is: It’s supposed to take payments outside of the PCI card data environment so you don’t have to do any monitoring of them,” he says. “But we’ve seen outbreaks of tampering [of devices] to capture cardholder data … they are changing the definition, which could bring a lot of intelligent terminals collecting payments brought into [PCI]
According to the recently published PCI DSS 2.0:
“The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:
The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE.
The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity.”
The key revisions cover areas such as log management and scoping the environment to understand where cardholders reside. There were also revisions meant to enable organizations to develop a risk-based assessment approach based on their specific business circumstances as well as changes designed to appeal to small merchants to simplify their compliance efforts.
The first thing readers will notice when they open PCI Version 2.0 is an expanded section defining PCI scope. Version 2 requires merchants and processors to identify explicitly all the locations and flows of cardholder data annually before they begin their assessment. The specific instructions are to make sure that no data has leaked outside your defined cardholder data environment and, if you find any, that you either eliminate the data or include it in your assessment.
The final version of PCI version 2.0 has just been released this week. It goes into effect on Jan. 1 but impacted entities have until Dec. 31, 2011, to become fully compliant.
The names, addresses and some health information of 280,000 Medicaid enrollees in Pennsylvania could be at risk after two affiliated managed care organizations reported the loss of a hard drive from a portable computer.The hard drive went missing in the corporate offices of either Philadelphia-based Keystone Mercy Health Plan or Harrisburg-based AmeriHealth Mercy Health Plan, the Philadelphia Inquirer reports. The two companies cover a total of 400,000 Medicaid patients in the state.
According to the result of a new survey published by MeriTalk, an online community for government IT professionals, 85 percent of federal information security leaders have not utilized CyberScope, an online reporting tool designed to reduce the amount of wasted dollars the government spends annually on cyber security compliance reports. Of those that have used CyberScope, the survey entitled “FISMA’s Facelift: In the Eye of the Beholder,” found that everyone has given the tool an “A” or “B” rating.
In an effort to make cloud solutions more easily available to government agencies, the US General Services Administration (www.gsa.gov) has awarded 11 companies a five-year, government-wide Blanket Purchase Agreement to make Infrastructure as a Service solutions available to all levels of government through the gateway “Apps.gov”.
This article is the first in a short series designed to help small businesses understand the regulations around securing credit card transactions, specifically the PCI DSS (Payment Card Industry’s Data Security Standard) requirements.
Facebook has been the subject of intense scrutiny over privacy concerns…again. Or, is it still? Facebook is not alone, however, as Twitter and Android have also been recent targets of privacy ire. Each of these privacy incidents has something else in common as well–they are a result of relationships with third-parties that users have approved.