Visa today announced global industry best practices for payment application vendors, integrators and resellers that implement, install or manage payment-related systems on behalf of merchants. The best practices developed by Visa in collaboration with the SANS Institute are designed to complement the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).
A plane crash that killed 154 people in 2008 might have been partly connected to the infection of an important ground safety system by malware, a Spanish newspaper has claimed.
The Spanair plane took off from Madrid to fly to the Canary Islands on 20 August 2008, but failed to clear the runway. Of the 172 passengers and aircrew on board, only 18 survived.
via Trojan blamed for Spanish air crash.
Google has landed an important federal certification for encryption and security. An official Google blog post said that the company has received Federal Information Security Management Act (FISMA) certification and accreditation from the U.S. government for its Google Apps office productivity suite, including Gmail.
via Google Apps gets FISMA-certified for government work.
According to the survey, 80 percent of respondents say securing patient information from unauthorized access and data breaches is a top priority, and 76 percent claim breach of confidential information or unauthorized access to clinical applications as their greatest security concerns – so much so that 97 percent say that HIPAA and HITECH Act regulations are driving their organization’s purchasing decisions. Seventy-four percent, meanwhile, say their organization will spend more on security in 2010 than it did in 2009.
via Data breach prevention top of mind for healthcare IT decision makers (WTN News).
There’s one section in the standard that is more important than any other, says Tom Wills, security and fraud senior analyst at Javelin Strategy and Research. Requirement 6.2 – “apply a risk-based approach for addressing vulnerabilities” – needs to become the over-arching requirement in the entire standard, he says. “This would mean all security controls should be based on carefully assessed risk, and not on following a checklist.”
Security that’s based on actual risk, not on rote compliance, is the only effective strategy to control against financial losses that result from compromised data. Wills wants to see the PCI council take section 6.2 from the middle of the document and put it in a headline position, with every other requirement rolling up to that. “That would send a clear message to the PCI stakeholders that security does not equal compliance, and that putting security first is what we need.
via PCI Update Gets Mixed Reviews.
“But what is glaringly lacking is progress on the hard and most important issues, including the implications of adopting alternative technologies” on PCI compliance requirements, she said.
According to Litan, many Gartner clients are trying to understand whether their adoption of new technologies such as chip cards, tokenization and end-to-end encryption will limit the scope of their compliance requirements, Litan said.
via Changes to PCI Data Security Standard leave questions unanswered – Computerworld.
Well the long wait is beginning to end as the PCI SSC let us see some more information on the new PCI DSS and PA-DSS. On August 12, the PCI SSC drew back the curtain on PCI DSS 2.0 and PA-DSS 2.0 by issuing a Summary of Changes document.
via PCI DSS and PA-DSS 2.0 Are Here – Almost « PCI Guru.
“They’ll say, ‘we found data on the most obscure parts of our network, we had no idea it was there,’” Russo says. “We need some methodology to find cardholder data.” Recommendations for that will include data-loss prevention technologies or discovery tools to find cardholder data, Russo says.
via Revisions to credit card security standard on the way.
It’s going to be called the Payment Card Industry Data Security Standard 2.0, and the full-blown text of this upcoming standard that governs how businesses must guard sensitive cardholder information on their networks will be out at the beginning of September, according to the organization in charge of it.
via Revisions to credit card security standard on the way.
The question is, because issuers demand retailers and service providers be PCI compliant, should they not practice the same discipline, go through the same process and lead the way by complying with the same guidelines to protect cardholder data? Let’s look at each of the three reasons I think issuers should want to ensure they are PCI compliant.
via StorefrontBacktalk » Blog Archive » I Wonder If My Card Issuer Has A ROC?.
