Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network.
This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.
via Heartland pays Amex $3.6 million over 2008 data breach – Network World.
The first MasterCard change made this month was pushing the Dec. 31, 2010, deadline back six months, to June 30, 2011. But MasterCard has also made two other key PCI changes. It has redefined what Level a retailer is (Level 1, 2, 3 or 4) to explicitly mirror whatever level Visa has determined. (The language used to say “competing brand.”) The last of the changes is to allow Level 1 and Level 2 retailers to perform their own assessments—using the retailer’s own salaried audit staff—as long as those audit staffers have passed PCI-approved training courses.
via StorefrontBacktalk » Blog Archive » MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline.
Let me give some real-life examples of what I mean.
* A merchant shows its QSA its Web application firewall (WAF) and asks the QSA to mark it compliant with PCI Requirement 6.6. But the QSA probes deeper, and he finds that the WAF is in “learning” mode, which means it is letting everything through. Indeed, the WAF has been in learning mode since it was installed after the last assessment a year ago, meaning it is pretty useless from a security point of view and definitely not meeting the intent of the requirement.
* You developed a set of security policies as part of your last assessment. Your QSA comes around the next year and asks to see them, but no one can even find a copy to give her. Clearly the policies–designed to protect you and your assets–haven’t been implemented—or maybe even read.
* You install an extensive and expensive logging system, but you only monitor and evaluate event reports when the QSA is on site.
via StorefrontBacktalk » Blog Archive » Why Are You More Afraid Of A QSA Than A Cyberthief?.
When it comes to franchise-based retailers, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.
via StorefrontBacktalk » Blog Archive » When It Comes To PCI Compliance, Franchisors Are Screwed.
The National Institute of Standards and Technology (NIST) has issued a draft publication for public comment that describes changes to the Security Content Automation Protocol (SCAP). SCAP is a suite of specifications that use the eXtensible Markup Language (XML) to standardize how software products exchange information about software flaws and security configurations.
via NIST Updates Automated Computer Security Validation Guidelines.
Compliance, along with security and privacy, is a big topic when firms consider cloud services. I recently did a Forrester Webinar on the topic of compliance for cloud computing. You can access the recording here: http://www.forrester.com/cloudsecuritywebinar. This blog entry is a recap of the Webinar.
via The Forrester Blog For Security & Risk Professionals.
The Health Insurance Portability and Accountability Act, known as HIPAA, took effect in April 2003, and through October, the Health and Human Services Department had fielded 47,632 allegations of patient privacy violations. Of those, 9,501 were found to be valid.
And how many criminal prosecutions occurred? The department did not answer that question for the Sun, but some experts put the number as low as five. Others say it is fewer than 20. Most were connected to another crime, usually identity theft — such as the case of a Washington man who worked at a cancer-treatment center. He pleaded guilty in 2004 to stealing patient information to obtain credit cards.
The National Institute of Standards and Technology and the Office of Management and Budget are proposing 11 new performance metrics to guide agencies in how they measure their computer network security.
via Federal News Radio 1500 AM: OMB, NIST release draft of new FISMA metrics.
So-called RAM scrapers scour the random access memory of POS, or point-of-sale, terminals, where PINs and other credit card data must be stored in the clear so it can be processed. When valuable information passes through, it is uploaded to servers controlled by credit card thieves.
via Scammers scrape RAM for bank card data.
