Visa offers new guidance on securing payment applications – Computerworld

Posted by on August 25, 2010 No comments

Visa on Tuesday announced a set of security best practices for vendors of payment applications and for the systems integrators and resellers responsible for implementing and managing them.

The guidelines are designed to address continuing vulnerabilities in the payment chain stemming from insecure implementations of the applications that are used in credit and debit card transactions, according to Eduardo Perez, Visa’s head of global payment system security.

via Visa offers new guidance on securing payment applications – Computerworld.

More On PCI DSS 2.0 « #PCI

Posted by on August 24, 2010 No comments

The biggest news out of this presentation is that requirement 6.5 will now apply to all in-scope applications, not just Internet-facing or browser-based applications. Based on all of the breach research that has been conducted, they have finally realized that any application in the cardholder data environment (CDE) is a potential hazard, not just those on the big, bad Internet. However, this is likely to cause problems for all of those legacy systems on HP (DEC) VAX, IBM iSeries and zSeries as well as other “antique” platforms. It is hard to apply a lot of the OWASP/CWE/CERT/etc. secure coding standards to applications that are not written in Java, PHP, .NET and the like. Some of these standards will apply, but the majority will not.

via More On PCI DSS 2.0 « PCI Guru.

Visa Provides Guidance on Secure Implementation and Management of Payment Applications — SAN FRANCISCO, Aug. 24 /PRNewswire/ –

Posted by on August 24, 2010 No comments

Visa today announced global industry best practices for payment application vendors, integrators and resellers that implement, install or manage payment-related systems on behalf of merchants. The best practices developed by Visa in collaboration with the SANS Institute are designed to complement the Payment Card Industry (PCI) Payment Application Data Security Standard (PA-DSS).

via Visa Provides Guidance on Secure Implementation and Management of Payment Applications — SAN FRANCISCO, Aug. 24 /PRNewswire/ –.

Trojan blamed for Spanish air crash

Posted by on August 23, 2010 No comments

A plane crash that killed 154 people in 2008 might have been partly connected to the infection of an important ground safety system by malware, a Spanish newspaper has claimed.

The Spanair plane took off from Madrid to fly to the Canary Islands on 20 August 2008, but failed to clear the runway. Of the 172 passengers and aircrew on board, only 18 survived.

via Trojan blamed for Spanish air crash.

Google Apps gets FISMA-certified for government work

Posted by on August 23, 2010 No comments

Google has landed an important federal certification for encryption and security. An official Google blog post said that the company has received Federal Information Security Management Act (FISMA) certification and accreditation from the U.S. government for its Google Apps office productivity suite, including Gmail.

via Google Apps gets FISMA-certified for government work.

Data breach prevention top of mind for healthcare IT decision makers (WTN News)

Posted by on August 22, 2010 No comments

According to the survey, 80 percent of respondents say securing patient information from unauthorized access and data breaches is a top priority, and 76 percent claim breach of confidential information or unauthorized access to clinical applications as their greatest security concerns – so much so that 97 percent say that HIPAA and HITECH Act regulations are driving their organization’s purchasing decisions. Seventy-four percent, meanwhile, say their organization will spend more on security in 2010 than it did in 2009.

via Data breach prevention top of mind for healthcare IT decision makers (WTN News).

PCI Update Gets Mixed Reviews

Posted by on August 16, 2010 No comments

There’s one section in the standard that is more important than any other, says Tom Wills, security and fraud senior analyst at Javelin Strategy and Research. Requirement 6.2 – “apply a risk-based approach for addressing vulnerabilities” – needs to become the over-arching requirement in the entire standard, he says. “This would mean all security controls should be based on carefully assessed risk, and not on following a checklist.”

Security that’s based on actual risk, not on rote compliance, is the only effective strategy to control against financial losses that result from compromised data. Wills wants to see the PCI council take section 6.2 from the middle of the document and put it in a headline position, with every other requirement rolling up to that. “That would send a clear message to the PCI stakeholders that security does not equal compliance, and that putting security first is what we need.

via PCI Update Gets Mixed Reviews.

Changes to PCI Data Security Standard leave questions unanswered

Posted by on August 16, 2010 No comments

“But what is glaringly lacking is progress on the hard and most important issues, including the implications of adopting alternative technologies” on PCI compliance requirements, she said.

According to Litan, many Gartner clients are trying to understand whether their adoption of new technologies such as chip cards, tokenization and end-to-end encryption will limit the scope of their compliance requirements, Litan said.

via Changes to PCI Data Security Standard leave questions unanswered – Computerworld.

PCI DSS and PA-DSS 2.0 Are Here – Almost

Posted by on August 16, 2010 No comments

Well the long wait is beginning to end as the PCI SSC let us see some more information on the new PCI DSS and PA-DSS. On August 12, the PCI SSC drew back the curtain on PCI DSS 2.0 and PA-DSS 2.0 by issuing a Summary of Changes document.

via PCI DSS and PA-DSS 2.0 Are Here – Almost « PCI Guru.

PCI DSS 2.0 – Emphasis on Card Data Discovery (CDD)

Posted by on August 14, 2010 No comments

“They’ll say, ‘we found data on the most obscure parts of our network, we had no idea it was there,’” Russo says. “We need some methodology to find cardholder data.” Recommendations for that will include data-loss prevention technologies or discovery tools to find cardholder data, Russo says.

via Revisions to credit card security standard on the way.