Information in this chapter:
* What is a Compensating Control?
* Where are Compensating Controls in PCI DSS?
* What a Compensating Control Is Not
* Funny Controls You Didn't Design
* How to Create a Good Compensating Control
via PCI and the Art of the Compensating Control – CSO Online – Security and Risk.
The idea behind the Verizon Business incident sharing metrics framework, which underpins the company's highly regarded data breach investigation reports, is that those who do not learn from security incidents are doomed to repeat them.
With that in mind, Verizon today released its Verizon Incident Sharing framework (VerIS), a move aimed at helping enterprises consistently analyze and share incident data, whether internally or with each other.
via Verizon shares framework to gather, analyze security incident data.
People who stayed at the Westin Bonaventure Hotel & Suites in Los Angeles last year and used their credit or debit card to eat there should keep a close eye on their bank statements.
Hotel officials disclosed Friday that the hotel's four restaurants, along with its valet parking operation, may have been hacked at some time between April and December, disclosing names, credit card numbers and expiration dates printed on customers' debit and credit cards.
via Westin hotel in LA reports possible data breach.
Ongoing computer scams targeting small businesses cost U.S. companies US$25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation.
Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over US$120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC.
via FDIC: Hackers took more than $120M in three months.
A senior Indian banker has been arrested by Indian police for an online fraud in which hackers siphoned close to 2.7 million Indian rupees ($60,000) from a bank account, a senior police official of the Indian state of Tamil Nadu said on Wednesday.
via Indian banker charged with online funds fraud.
A U.S. Transport Security Administration analyst has been indicted with tampering with databases used by the TSA to identify possible terrorists who may be trying to fly in the U.S.
Douglas James Duchak, 46, was indicted by a grand jury Wednesday with two counts of damaging protected computers. According to a federal indictment, Duchak tried to compromise computers at the TSA's Colorado Springs Operations Center (CSOC) on Oct. 22, 2009, seven days after he'd being given two weeks notice that he was being dismissed. He was also charged with tampering with a TSA server that contained data from the U.S. Marshal's Service Warrant Information Network.
via Former TSA analyst charged with computer tampering.
Online banking fraud losses increased by 14 percent to £59.7 million last year, according to the latest figures from The UK Cards Association.
This represents an increase of £7.2 million in online banking fraud losses compared with 2008 (£52.5 million).
via Online banking fraud losses rise to nearly £60 million.
The data theft, said HSBC, was done by a former IT employee about three years ago, involves existing clients who had accounts with the bank in Switzerland before October 2006.
The stolen client information is limited to accounts in Switzerland, excluding ex-HSBC Guyerzeller accounts, the bank added. There is no data compromised for any branches of the bank outside Switzerland, which operate on separate systems and security, or other entities within the HSBC Group, the bank noted.
via HSBC Private Bank: Data of 15,000 clients stolen.
Blue Cross and Blue Shield of Minnesota, the state's largest health insurer, accidentally published a customer's personal medical information in a handbook prepared for 95,000 members of a popular health care plan, according to the woman's attorney.
via Blue Cross is sued over disclosing woman’s medical records | StarTribune.com.
The best way to avoid PCI audits and headlines about credit card lists leaking to the internet is to not store that data in the CRM system in the first place. Although your customer service reps (CSR) may need to access that data, the CRM system should hold only pointers (external keys) to the system of record for credit card numbers, bank account numbers, payment history, etc
via Don’t Let Your CRM System Feed the Lawsuit Beast.
