Category Archives: PCI

Report: PCI-DSS standard to boost firewall auditing market – Related Stories – CompTIA SmartBrief

Posted by on June 22, 2009 No comments

According to a new report from Forrester Research, the market for firewall management and auditing tools is expected to grow by 25% this year as enterprises move to meet the new requirements set down in the Payment Card Industry Data Security Standard. Growth in the space is also expected to increase competition for vendors like Cisco and Juniper Networks as third-party vendors look to snag market share

via Report: PCI-DSS standard to boost firewall auditing market – Related Stories – CompTIA SmartBrief.

PCI-DSS: Not on health care provider’s radar

Posted by on June 20, 2009 No comments

Health care providers are certainly no stranger to data privacy and security standards related to protected health information (PHI). Although these providers and their respective organizations are well versed in rules, policies and requirements of HIPAA, few are aware that the PCI-DSS rules apply to their businesses and even fewer are compliant. When HIPAA compliancy mandates were looming, health care providers seriously performed “gap analyses” to understand risks and then developed policies, instituted practices and acquired technologies.

via PCI-DSS: Not on health care provider’s radar – SC Magazine US.

MasterCard Gets PCI Tough With Level 2 Retailers?

Posted by on June 18, 2009 No comments

MasterCard has changed its PCI rules and is now insisting that all Level 2 merchants have on-site assessments.

“This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually,” wrote Branden Williams, in his excellent Security Convergence Blog, which seems to have broken the story on Wednesday (June 17). The blog also reports that none of the other card brands—including Visa, the Uber Brand when it comes to PCI issues—have done the same.

via StorefrontBacktalk » Blog Archive » MasterCard Gets PCI Tough With Level 2 Retailers?.

PCI compliance strategy calls for hiding card data in plain sight – Network World

Posted by on June 18, 2009 No comments

Direct-marketing retailer Fingerhut is undertaking a new strategy to protect sensitive payment-card information: Hiding it in plain sight through a data-scrambling method called “tokenization.”

via PCI compliance strategy calls for hiding card data in plain sight – Network World.

300 companies were victimized by the same hacker as Heartland

Posted by on June 17, 2009 No comments

Carr also believes that the vast majority of breaches go unreported. He says that around 300 companies were victimized by the same hacker as Heartland, but that most have never come forward. He points to loopholes in the state laws meant to protect consumers in the event of a data breach as the reason.

via Heartland Gets Religion on Security – Digits – WSJ.

PCI Debate Ignores Planned Improvement Cycle

Posted by on June 16, 2009 No comments

While the PCI-bashing cabal is out in full force, I have found few of them have read the PCI Security Standards Council’s Lifecycle Process for Changes to PCI DSS [.pdf link]. Had they done so, they might be singing a different tune. In this document, the Council maps out a long-term pragmatic and strategic plan for PCI compliance.

via PCI Debate Ignores Planned Improvement Cycle – CSO Online – Security and Risk.

Weak security enables credit card hacks – AP

Posted by on June 14, 2009 No comments

Steps to processing a credit card

Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.

via The Associated Press: AP IMPACT: Weak security enables credit card hacks.

InfoSecCompliance.com – Technology, Privacy and Security Law & Risk Management » Blog Archive » PCI Service Provider Contracting

Posted by on June 12, 2009 No comments

One of the key areas I get involved in is service provider relationships, and in particular section 12.8 of PCI and service provider contracts. There are many aspects of 12.8 (and its subsections) that are potentially ambiguous and open to interpretation, but this particular article is not going to focus on those. This post concerns the “written agreement” referenced in 12.8.2

via InfoSecCompliance.com – Technology, Privacy and Security Law & Risk Management » Blog Archive » PCI Service Provider Contracting.

How to manage the risk of your high-risk users

Posted by on June 12, 2009 1 comment

Every network has high-risk users. Typically, these users have broad access to the IT infrastructure and a high degree of technical knowledge. They might be internal or outsourced IT personnel, contractors, vendors or remote application developers. They know a lot about the IT systems and how they operate and might even possess “the keys to the kingdom” because they administer servers, networks, applications or databases. In fact, I might have just described … you.

via How to manage the risk of your high-risk users – Network World.

PCI Security Standards Council Invites Industry Feedback

Posted by on June 10, 2009 No comments

In response to a letter from several retail trade associations suggesting changes in PCI (Payment Card Industry) data security standards, the PCI Security Standards Council here invited the trade groups to participate in the feedback process beginning on July 1 to shape the next version of the standard.

“We encourage all Participating Organization stakeholders, including the letter’s authors, to actively participate in that feedback process,” said Bob Russo, general manager of the PCI Security Standards Council. “We appreciate the input from these industry associations and we do encourage those that are not formal Council stakeholders to join up and become active participants, lending practical security expertise — along with their ideas — to evolve payment data security standards.”

via PCI Security Standards Council Invites Industry Feedback.