But according to telco Verizon Business’ Risk team, which published the findings, a “fairly new” threat in the shape of RAM scrapers is increasingly being used by online thieves to bypass PCI DSS rules requiring credit card data to be encrypted anyway.
via Infosecurity (USA) – Firms failing on PCI DSS.
A federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.
Many businesses are familiar with the PCI Security Standards Council’s requirements, yet many card fraud incidents go undiscovered for long periods of time. In fact, according to Verizon’s 2009 Data Breach Investigations Report, 75% of compromises were discovered at least weeks after the compromise.
via Today’s Tip Credit-Card Security: Monitoring – BusinessWeek.
In a new study on PCI DSS and Protecting Cardholder Data, the organizations earning top results were found to achieve and sustain compliance with PCI DSS at a 50% lower cost than all other respondents. The third annual study on protecting cardholder data by Aberdeen Group, a Harte-Hanks Company NYSE: HHS, provides year-over-year insights into the progress that affected organizations have made in achieving and sustaining compliance with PCI DSS, as well as the specific areas of greatest challenge.
via The 2009 PCI DSS and Protecting Cardholder Data Report.
“I'm seeing a trend, especially among the smaller merchants. They're recognizing they don't have a dedicated IT shop in house. They don't have dedicated security staff that can support ongoing security. What they need to do is to outsource to a service provider that has that security skill set that has that fundamental understanding of just how a payment process works.
via PCI Exec Suggests Payment Outsourcing for Smaller Merchants | Practical eCommerce.
Connecticut Attorney General Richard Blumenthal (D) has emerged as possibly the first AG to take on a HIPAA investigation, and Arizona’s AG may also be pursuing a similar course. The larger of the two breaches that have come to the AGs’ attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, who also hailed from New Jersey and New York.
via Two Data Security Breaches Give State Attorneys General a Chance to Exercise Their New HIPAA Powers.
Less than 50% of businesses with 20,000 or more payment transactions a year are compliant with the Payment Card Industry Data Security Standard, a survey found…
via PCI-Compliant Stores a Minority – American Banker Article.
On a global level, the council continues to extend beyond simply defining the standards. We provide resources to address specific security challenges and mobilize the payment community through training sessions, open discussion forums and both formal and informal feedback sessions.
via Recognizing the payment industry achievements of 2009 and looking ahead – SC Magazine US.
Some DAM products provide features for privileged-user monitoring and basic database auditing, two areas that have historically been underserved. Need more? The use of DAM technology is starting to be considered an essential control when demonstrating compliance with industry regulations and standards that require regular review of logs — a category that includes PCI DSS, HIPAA, the Gramm-Leach-Bliley Act, FISMA, and Sarbanes-Oxley.
By now, many of you have read the newly released ISO 31000 Risk management — Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)
It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”
via The Forrester Blog For Security & Risk Professionals.
