The National Institute of Standards and Technology and the Office of Management and Budget are proposing 11 new performance metrics to guide agencies in how they measure their computer network security.
via Federal News Radio 1500 AM: OMB, NIST release draft of new FISMA metrics.
So-called RAM scrapers scour the random access memory of POS, or point-of-sale, terminals, where PINs and other credit card data must be stored in the clear so it can be processed. When valuable information passes through, it is uploaded to servers controlled by credit card thieves.
via Scammers scrape RAM for bank card data.
But according to telco Verizon Business’ Risk team, which published the findings, a “fairly new” threat in the shape of RAM scrapers is increasingly being used by online thieves to bypass PCI DSS rules requiring credit card data to be encrypted anyway.
via Infosecurity (USA) – Firms failing on PCI DSS.
A federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.
Many businesses are familiar with the PCI Security Standards Council’s requirements, yet many card fraud incidents go undiscovered for long periods of time. In fact, according to Verizon’s 2009 Data Breach Investigations Report, 75% of compromises were discovered at least weeks after the compromise.
via Today’s Tip Credit-Card Security: Monitoring – BusinessWeek.
In a new study on PCI DSS and Protecting Cardholder Data, the organizations earning top results were found to achieve and sustain compliance with PCI DSS at a 50% lower cost than all other respondents. The third annual study on protecting cardholder data by Aberdeen Group, a Harte-Hanks Company NYSE: HHS, provides year-over-year insights into the progress that affected organizations have made in achieving and sustaining compliance with PCI DSS, as well as the specific areas of greatest challenge.
via The 2009 PCI DSS and Protecting Cardholder Data Report.
“I'm seeing a trend, especially among the smaller merchants. They're recognizing they don't have a dedicated IT shop in house. They don't have dedicated security staff that can support ongoing security. What they need to do is to outsource to a service provider that has that security skill set that has that fundamental understanding of just how a payment process works.
via PCI Exec Suggests Payment Outsourcing for Smaller Merchants | Practical eCommerce.
Connecticut Attorney General Richard Blumenthal (D) has emerged as possibly the first AG to take on a HIPAA investigation, and Arizona’s AG may also be pursuing a similar course. The larger of the two breaches that have come to the AGs’ attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, who also hailed from New Jersey and New York.
via Two Data Security Breaches Give State Attorneys General a Chance to Exercise Their New HIPAA Powers.
Less than 50% of businesses with 20,000 or more payment transactions a year are compliant with the Payment Card Industry Data Security Standard, a survey found…
via PCI-Compliant Stores a Minority – American Banker Article.
On a global level, the council continues to extend beyond simply defining the standards. We provide resources to address specific security challenges and mobilize the payment community through training sessions, open discussion forums and both formal and informal feedback sessions.
via Recognizing the payment industry achievements of 2009 and looking ahead – SC Magazine US.