Tag Archives: american express

PCI Council Starts a Quality-Control Program for Assessors

(November 17, 2008) The PCI Security Standards Council on Monday introduced a quality-assurance program for the companies that determine whether a merchant, processor, or other entity that touches credit and debit card data meets the council’s rules. The Wakefield, Mass.-based council’s aim is to ensure more uniform enforcement of the Payment Card Industry data-security standard, or PCI.

“We want to make sure it’s as level a playing field as we possibly can,” Robert Russo, general manager of the Wakefield, Mass.-based PCI Council, tells Digital Transactions News.

Participation in the program will be mandatory for PCI Council-registered Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). The council has 164 QSAs (87 in the U.S., 16 in Canada), and 145 ASVs, 74 of which also are QSAs. QSAs send assessors out to examine payment-processing systems, while ASVs scan data networks remotely.

Russo says that in launching the program, the council is responding to feedback from PCI-participating organizations and others with a stake in card security about the need for as much uniformity in PCI exams as possible—an often difficult task because determining the existence and degree of a security vulnerability, while in many cases a clear-cut matter, in others can be subjective. “It’s a people business,” Russo says.

But Russo says there was no single event that prompted the program. “It’s not a knee-jerk reaction, it’s the next logical step in the evolution of the program,” he says. The five major card networks—Visa, MasterCard, American Express, Discover, and JCB—created the council to administer and update a common set of security rules now known as PCI, though enforcement remains the responsibility of each network.

The quality-control program arrives not a moment too soon, according to Gartner Inc. analyst Avivah Litan, who researches security technology. “There have been many rumblings about the inconsistent quality of the QSAs,” she tells Digital Transactions News via e-mail. A major issue with PCI compliance is that “a retailer can get two different opinions from the same assessor within a few months,” she says. “And each change of opinion can potentially cost hundreds of thousands or even millions of dollars. Opinions issued by different assessor firms, and by even the same assessor within the same firm, are often different.” Assessors also sometimes have “knee-jerk” reactions and revisit clients they’ve recently examined if a new breach exposes a vulnerability they think should be fixed quickly, she adds.

A big part of the program involves increased monitoring of PCI compliance reports by the QSAs and ASVs. Registered firms will be required to give the council for periodic review samplings of reports, edited for client confidentiality. That will add some work for the assessors, according to Andrew Bokor, chief operating officer of Chicago-based Trustwave, one of the biggest PCI assessors. A recent Trustwave quarterly report to meet the new guidelines took two staffers two-and-a-half weeks to prepare, he says. Still, Bokor doesn’t see that work as major added task, though he says the program could be more burdensome for smaller QSAs and AVS. “For us it will not be that impactful primarily because we have a fairly rigorous QA [quality-assurance] training program to begin with,” he says.

Bokor says he doesn’t have one incident that comes to mind, but says there “have been concerns” among the larger assessment firms about “inconsistencies in the QSAs,” mostly involving the work of smaller assessors. “I don’t think there was any foul play involved,” he says.

Uneven assessment quality could be a result of inadequate training, according to Litan. “It’s very easy today to become a QSA,” she says. “The screening of these folks is severely lacking.” Russo, however, says companies are vetted when they first come into the QSA and ASV fields for experience, training, and insurance—a process repeated annually.

Besides the increased monitoring of assessor reports, Russo says council staffers will be visiting the offices of QSAs and ASVs periodically. A PCI Council release says ongoing features of the program include certification reviews, credit checks, training, educational Webinars, newsletters, a dedicated e-mail service, question-and-answer documents, informational supplements, and feedback forms. The PCI Council will roll out the program in four stages next year.

News.

Security at the Point of Sale – CSO Online – Security and Risk

 

When thieves stole the PIN pads at a cash register in one of his company’s stores, Daniel Marcotte was amazed. Not that they’d done it—such thefts can happen once a week during the holiday season. But watching it on videotape later, “I couldn’t tell they had it with them when they left” the store, says Marcotte, director of systems and data security at La Senza, a Montreal retailer now owned by The Limited.

 

A couple of hours later, the thieves were back. They’d doctored the PIN pads to let them get customer card data. They got them back onto the point-of-sale system quickly, too. But here’s where La Senza’s security precautions kicked in: Its PIN pads in effect have their own Media Access Control address, and once they’re disconnected, that address is no longer available. So the thieves were foiled—this time.

The point of sale has always been a target for thieves. While they once went after the cash drawer, retailers often find themselves facing sophisticated networks of thieves intent on the criminal equivalent of volume discounts—reams of credit card data, entire shelves of goods to launder or, in the case of pharmaceuticals like Sudafed, drugs used for making methamphetamines. Retailers, then, operate under the constant threat of having their point of sale either hacked by cyberthieves (the Dave & Buster’s wireless hack being another recent high-profile example) or spoofed by real ones.

Between them, these various thieves target all the major aspects of a modern point-of-sale system:

  • The cash register
  • The bar-code scanner
  • Wireless access
  • The in-store voice or IP network
  • The store inventory management system

 

Where once the big scourge was “till tappers”—people who grab the money and run—that’s no longer a major headache for most retailers, says Keith Aubele, the former loss prevention executive at Wal-Mart and Home Depot, and now a loss-prevention consultant. Instead, they have to contend with sophisticated rings of thieves who’ve figured out that it’s far more lucrative to systematically steal goods by spoofing the point-of-sale systems, especially self-checkout systems, which are “incredibly easy to bypass,” says Aubele.

“You’ve got one supervisor for four to six registers, and you can easily distract that person and you take merchandise and scan some and hit the deactivator and walk out,” he says.

A bigger problem still is under-ringing, or sweethearting, where crooked cashiers in cahoots with thieves simply don’t scan all the items presented. Retail theft was almost $35 billion, according to the 2007 National Retail Security Survey, and Aubele estimates that between $8 billion and $10 billion of it comes from under-ringing.

“Under-ringing is incredibly hard to detect, under any system,” he says.

Small note of irony: The first mechanical cash register (patented in 1883) was nicknamed “

The major modern method for catching under-ringers is video analytics applied at the point of sale. Companies like IBM, Milestone and an Aubele client, Wren Solutions, all offer video analytics that aim to help store managers see when breaches have occurred.

But such analytics are a bit “pie in the sky,” cautions Steve Hunt of Hunt Business Intelligence in Evanston, Ill. All the pieces work well, he says—”the cameras work fine, the recording system works fine, it integrates with the point-of-sale system perfectly by tagging every transaction, but the analytics aren’t good enough. It’s analytics 1.0.” Aubele acknowledges that video analytics is “a work in progress,” but says “it’s light-years today ahead of where it was two years ago,” and in two years will be light years ahead of today.

Meanwhile, there are new approaches being tried with traditional smash-and-grab techniques, like running off with a rack of leather jackets. Time Domain, a maker of real-time location systems, is putting radio frequency identification (RFID) tags into high-value items, and tracking them via ultra wideband (UWB) wireless technology. Time Domain’s technology creates electronic article surveillance that ties into the cameras at the front of the store and will flag the unusual, like an entire rack of leather coats suddenly moving, and pan the cameras on the items—as long as the store uses pan-and-tilt video cameras. This technology is in pilot right now.

THE FLIP SIDE OF CAPTURING CUSTOMER DATA
Missing merchandise is a visible, countable problem for retailers. Stolen customer data is murkier. Compounding the issue is a fundamental problem: Point-of-sale technology wasn’t designed to capture customer data, securely or otherwise. Most retail technology was developed to help companies track product information—what was sold, when and for how much. But retailers now use these technologies to capture customer data.

That means “at the place where data is captured, you have a rat’s nest of different technologies cobbled together in a way that didn’t pay any heed at all to the sensitivity of the data it captures,” says Brian Kilcourse, managing partner of RSR Research.

Worse, retailers in the last decade shifted away from proprietary networking technologies like IBM’s Token-Ring to Internet Protocol, which offers great flexibility but has inherent security issues. Retailers also tend not to encrypt data, and have been aggressive about adopting wireless technologies, which are harder to secure than wired ones.

It is perhaps a small wonder that the biggest known data theft to date occurred at a retailer, TJ Maxx, or that high-profile data attacks have happened at Hannaford’s, Lowe’s, Stop & Shop and other retailers.

In the last few years, a series of improvements in process and technologies have improved point-of-sale cybersecurity. Some of these improvements come thanks to the efforts of card issuers like American Express, MasterCard and Visa, which created the Payment Card Industry Data Security Standard, PCI for short.

Among them:

  • Compensating controls to manage data flow into and out of the various point-of-sales technologies. PCI includes provisions for such controls for different sorts of retailers; encryption protocols for transmitting data between different parts of point-of-sale systems, such as the bar-code scanner and the credit card swiper—VeriFone’s VeriShield is a popular example;
  • better data storage practices, like changing software commands to avoid storing certain types of data;
  • for data that is stored, using encryption systems;
  • wireless credit card readers like the Exadigm XD2000, which include built-in security and reduce potential credit card fraud by making sure the credit card never leaves its owner’s hands.

 

WAITER, THERE’S A HACKER IN MY SOUP
But it’s a gigantic challenge to get new technology out to the millions of points of sale, which range from the big box retailers to the fitness club to the restaurants to the corner gas station. Each kind of retailer presents its own problems.

Avivah Litan, a Gartner analyst, notes that gas stations have a PCI exemption until 2010, in part because credit card readers tend to be integrated into gas pumps, so upgrading the card reader means upgrading the pump, a very pricey proposition. In the meantime, pumps at the gas station feed to a server, which might feed to a regional server and then on to one at a headquarters operation, each a potential point of weakness.

Many retailers have flocked to wireless technology, which can create more flexible floor layouts and, for restaurants, can draw customers. But the white-hat hacker Simple Nomad says he was asked by a friend who managed a Bennigan’s to check out whether a wireless hub in the restaurant allowed him to gain access to the point-of-sale terminal. He was able to do so. In another restaurant with a wireless hub, he found he could alter orders at the point of sale.

Wireless networks can become insecure even after a retailer thinks it’s taken all the right steps to secure them, says Peter Evans, vice president of marketing at IBM Internet Security Systems. Evans says wireless access points are often set to default to insecure settings. So after a power outage or a reset, the security settings would default to off, and the retailers might not know for months that their information was vulnerable to hackers.

Evans says it’s also simple to put a data skimmer on credit card swipe readers without anyone noticing. In fact, he says that recently, “I was a victim of one of these.”

In his case, he says he was fortunate that his credit card provider’s algorithms were able to detect fraudulent usage when his credit card data was used, and the thief was nabbed.

Meanwhile, the PCI Security Standards Council certifies software for use with point-of-sale systems. But Tom Wabiszczewicz, a security consultant at NeoHapsis, one of the six Qualified Incident Response Assessors (QIRA) under PCI’s Cardholder Information Security Program (CISP), says issues persist. Over the course of the year, he’s run into situations where companies have secure servers, but Windows-based, point-of-sale terminals sitting directly on the Internet are effectively wide-open to attack.

He’s also seen companies that were storing Track 2 data unencrypted. Track 2 data can be used to recreate a credit card, and in one case he saw at a U.S. retailer, its Track 2 data was being sniffed and used to create fraudulent credit cards that were being used days later in Tokyo.

He says some problems are caused when companies upgrade to a PCI-compliant version of their software without getting rid of the old software, or with older, unencrypted data in databases. Wabiszczewicz says that “they’re doing things correctly from that point on, but what about the leftover data from the database, or the previous version that didn’t encrypt the credit card number or stored Track 2 data?”

Wabiszczewicz recommends that any such upgrade should include a complete reinstall of the entire system.

Despite these myriad issues, Wabiszczewicz says it is relatively straightforward to protect today’s point-of-sale systems. “If you have a correct policy, you train employees, limit what they can do on the front end of the POS system and you’re running PCI-compliant point-of-sale software, you are in very good shape,” he says.

POINT OF SALE GRADE-A UPGRADES
For companies that are installing brand new point-of-sale systems, they have a much better chance of being secure from the get-go.

That’s the course followed by Original Pizza Pan, in North Ridgeville, Ohio. A 25-year-old operation, it went through a franchise boom in the last few years, and now has about 100 locations. It had never used a formal point-of-sale system in its stores, and in 2007 decided that it was time to get one. A secure system was one of its priorities, though it was about fourth on its priority list, behind things like ease of ordering, better customer service and building databases of customers, says Edward Rizk, the firm’s development director.

Rizk says that he picked a vendor, DiamondTouch, that develops systems specifically for pizza stores. But it was a big plus that it offered managed security services and also gave them the option to integrate a surveillance camera with the point-of-sale system. Such systems time-stamp the video every time the cash register drawer opens, allowing store owners to monitor whether money is staying where it belongs.

The systems don’t use wireless at all; DiamondTouch encourages franchisees to change their passwords on a monthly basis and makes sure they’re encrypting their data. The franchisees are not expected to send data on operations or customers back to the central office, Rizk says.

Even so, the system isn’t ironclad. Original Pizza Pan wants its store owners to save their data on a separate computer as a backup. Rizk says, “I recommend to my franchises that they download their database to a computer that does not have Internet access.” But whether they really listen to him, he doesn’t know. “That’s their business,” he says.

Rizk is in the enviable position of being able to start from scratch. Most established retailers don’t have that luxury, says RSR’s Kilcourse. Worse, a large retailer probably has the ultimate distributed computing environment, which makes them a huge headache to upgrade.

“If you have 3,000 stores with 10 to 12 point-of-sale systems apiece, you have a management problem of very large proportion,” Kilcourse says. “How do you safely upgrade so many systems? And if you’re going to do it, how do you afford the cost?”

He says that it’s almost financially impossible for a large retailer to go through a major replacement of point-of-sale systems. In fact, he says he’s heard a retail CIO say his point-of-sale system was “old enough to drink.”

The downturn means that retailers will likely hang on to technology even longer. The threat of fines for notcomplying with PCI is spurring companies to upgrade. But it’s hard for retailers to cost-justify many types of technology upgrades.

For instance, chip-and-PIN technology for credit cards, prevalent in Europe, is more secure than using classic magnetic-stripe cards. TJX Vice Chairman Donald Campbell told The Boston Globe in late August that he’d like to see retailers, banks and card issuers pool their resources and upgrade all cards and readers to the chip-and-PIN system. The cost: about $2 per credit card and as much as $500 per reader, multiplied by 12 million readers. Campbell told the Globe that it would probably cost TJX $20 million to upgrade to chip-and-PIN readers. (TJX did not respond to a request for comment for this article.)

Economic downturns, cost obstacles and technology weaknesses aside, retailers will continue to battle the threats they face. And vendors will continue to try to make it easier to battle those threats. IBM, on October 1, announced its new SecureStore initiative, which aims to help store owners better manage their technology centrally. Evans says that part of IBM’s motivation for the announcement is to address the scale problem that retailers face, when trying to upgrade and monitor systems spread out at literally thousands of stores, with perhaps tens of thousands of points of sale. The intent is that companies can use IBM server and management technology to do remote upgrades and monitoring of systems to identify situations such as an open wireless network, and then fix it.

“The current model of delivering security to customers is broken—the customer just wants security to go away,” Evans says.

IBM’s management effort is not the first, but Kilcourse says it was probably more holistic than others on the market.

La Senza’s Marcotte is a likely adopter of SecureStore offerings. He’s already using some of IBM’s security software, and he’s placed a purchase order for IBM’s Tivoli management system to help centralize upgrades and monitor the company’s roughly 1,000 point-of-sale systems across 350 stores.

Being able to monitor and do software upgrades remotely would be a plus, he says, especially since La Senza tends to upgrade its point-of-sale terminals roughly every three years, which he calls “heavy work” for the six people who work on point-of-sale security at the company.

“This centralized approach will be huge,” says Marcotte.

Of course, centralized management creates a single target for hackers to attack. But in security, there are always trade-offs. ##

Security at the Point of Sale – CSO Online – Security and Risk

VeriFone Takes Lead in Securing Card Payments with PA-DSS – MarketWatch

PAY 10.58, +1.27, +13.6%) , today announced an aggressive program to ensure implementation of the PCI Security Standards Council’s (PCI SSC) Payment Application Data Security Standard (PA-DSS). This program establishes a comprehensive PA-DSS compliance policy aimed at ensuring protection of cardholder information across virtually all merchant environments and all types of card acceptance devices.

VeriFone expects rapid availability of its terminal-based payment applications to meet all needs of acquirers and merchants in complying fully with the PA-DSS mandate. PC- and server-based VeriFone applications such as PAYware PC already comply with PA-DSS or its predecessor, the Visa Payment Applications Best Practices (PABP). PA-DSS is intended to ensure secure payment applications do not store prohibited data, such as full magnetic stripe, CVV2, PIN or other sensitive data, and are compliant with the PCI Data Security Standard (PCI DSS).

First published in April 2008, PA-DSS expands upon PABP to encompass card acceptance devices known as “stand-alone POS terminals,” which are commonly used by smaller “level 4” merchants who represent the largest installed base of payment acceptance devices globally. It also encompasses consumer facing payment devices and programmable PIN pads that are connected to electronic cash registers in use at larger “level 1 and 2” merchants.
Merchants are increasingly utilizing these systems in a manner that brings them under PA-DSS requirements, leading VeriFone to establish a universal compliance program for all of its applications used in its programmable payment acceptance devices going forward, initially targeting the US/Canada market. Because each payment application certified by each bank, processor or acquirer must now be audited, full PA-DSS compliance will result in hundreds of individual audits by qualified assessors. Auditing device-based payment applications at the supplier level will minimize the number of audits required and lower compliance costs for buyers.
“Adherence to the PA-DSS by vendors is an excellent way organizations can ensure the utmost in transaction integrity. Providing customers with only PA-DSS audited applications will help us further standardize security levels industry-wide,” said Bob Russo, general manager of the PCI Security Standards Council.
The PCI-SCC was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to enhance payment account data security by driving education and awareness of the PCI Security Standards.
“There is nothing more important to this industry than a consumer’s trust in the payment system and VeriFone applauds this bold step by the PCI SSC to create a third-party validation testing program that positively verifies compliance to the PA-DSS standard and ensures protection of sensitive cardholder information,” said VeriFone Chief Security Officer Dave Faoro. “We are taking this bold step to ensure that banks, acquirers and merchants can easily comply.”
According to the PA-DSS mandate, POS terminals that encompass payment applications must be audited by a PA-QSA laboratory unless they are utilized in very limited environments that reduce the possibility of compromise. These restrictions stipulate that the payment device should have no connection to any of the merchant’s systems or networks, that they connect to the acquirer or merchant via a private line, that they can be securely updated remotely, and that sensitive authentication data is not stored. The overwhelming majority of “stand-alone POS terminal” payment applications being certified today by leading processors no longer meet all of these usage restrictions, so therefore fall under the scope of the PA-DSS compliance mandate.

VeriFone Takes Lead in Securing Card Payments with PA-DSS – MarketWatch.

Thales joins PCI Security Standards Council

Thales, a leader in information systems and communications security, announced today that it has joined the PCI Security Standards Council as a new participating organisation.

As a Participating Organisation, Thales will work with the Council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards.

The PCI DSS, endorsed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., requires merchants and service providers that store, process or transmit customer payment card data to adhere to information security controls and processes that ensure data integrity. More information on the council and the standard can be found at www.pcisecuritystandards.org

As a Participating Organisation, Thales will now have access to the latest payment card security standards from the Council, be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organisations. In an era of increasingly sophisticated attacks on systems, adhering to the PCI DSS represents an entity’s best protection against data criminals. By joining as a Participating Organisation, Thales, is adding its voice to the process.

“The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data,” said Bob Russo, General Manager of the PCI Security Standards Council. “By participating in the standards setting process, Thales demonstrates it is playing an active part in this important end goal.”

Paul Meadowcroft, Head of Transaction Security for the Information Systems Security activities of Thales, said: “As a leader in the provision of security solutions to the banking and finance sector, we endeavour to be at the centre of the continuous improvement of payment security standards and processes. We believe that the PCI DSS is a strong defence in the fight against data theft. By joining the PCI Security Standards Council, we are committed to advancing the understanding and adoption of PCI DSS and we look forward to collaborating with other Council membebers for the benefit of the wider industry in the future.”

Finextra: Thales joins PCI Security Standards Council

Why Do Bad Things Happen to PCI-Compliant Companies?

Why Do Bad Things Happen to PCI-Compliant Companies?

By Jack M. Germain | E-Commerce Times

All too often, compliance with Payment Card Industry security standards by no means ensures a business’ credit card transactions are actually safe and sound. In fact, some of the highest-profile customer data breaches in recent memory have happened at companies that had met PCI standards. The difference between compliance and actual security is constant vigilance.

Caution: Just because your company has a payment card industry (PCI) compliance certificate, don’t assume your data is perfectly safe and secure. You can still suffer a breach.

That’s the lesson recently learned by retail clothing company Forever 21. Company officials posted a notice on the company’s Web site last month telling customers of a data breach involving 98,000 credit cards. Forever 21 was PCI compliant at the time of the breach, according to a written statement the company released.

Being PCI compliant does not guarantee that a firm is immune from a breach. A recent study entitled “Cost of Compliance” disclosed that 95 percent of surveyed firms were not confident they would be safe from a data breach even if they were PCI compliant.

Two other store chains — Hanover Foods and TJ Maxx — offer further examples of PCI compliance shortfalls, though in the case of TJ Maxx, the store was in the process of achieving full compliance when the incident occurred. The list of companies with similar PCI complaint breaches grows larger all the time.

“A common theme I see is a tremendous amount of subjectivity is used in applying the PCI standards,” Chris Konrad, senior vice president of client services for security and risk management firm Fortrex, told the E-Commerce Times.

Inexact Science

Part of the problem is a lack of constant, vigilant oversight of one’s compliance status, Konrad noted. A company can be PCI complaint today but fall out of compliance next week.

Another part is that qualified security assessors don’t all perform the same way. Security auditors come from a variety of backgrounds. Some are from IT, others from engineering industry, according to Konrad.

“All QSAs (Qualified Security Assessors) take the same courses taught by the same instructors and pass the same exams. Yet you take 10 QSAs and will get 10 different interpretations of a rule,” Konrad said.

Know What’s Up

In data breach cases involving PCI-compliant companies, the firm itself is not necessarily the only entity responsible for what went wrong. PCI compliance is only as good as the efforts to maintain them.

“The key thing to understand is that it is an ecosystem. Each party plays a part in a game. You can’t put all the blame on the retailers,” Kim Singletary, director of retail and embedded systems for IT environmental control firm Solidcore, told The E-Commerce Times.

The key to preventing data breaches after reaching PCI compliance is knowing your infrastructure Rackspace is the expert when it comes to delivering Windows and Linux hosting solutions. Click here to learn more. and what is changing, she said. Battening down the security landscape involves doing more than focusing on stolen laptops and hackers breaking into networks.

“Especially in the payment merchant field, much upgrading is needed. We need to rethink the viewpoint on what happens when the credit card hits the swipe machine,” said Singletary. “There is no perimeter anymore when you assess security risk. All of that is degrading. Now there are too many points of connection.”

PCI Shortcomings

Cases like those of Forever 21, Hanover Foods and TJ Maxx point to the shortcomings of the PCI certification process. However, in the absence of better security practices, PCI is better than no precaution at all.

“PCI is not a panacea. It is a guideline for better security. The implementation of the regulations is getting better and tighter,” Mandeep Khera, chief marketing Learn how you can enhance your email marketing program today. Free Trial - Click Here. officer for Cenzic, told the E-Commerce Times.

The payment card industry will continue to see more cases of data breaches despite PCI compliance, he said. PCI assessments are not perfect, and the problem lies in their execution.

“We have a long way to go, but it is getting better,” said Khera. “Previously, Web application security was totally ignored, as was WiFi security.”

New Regs Helpful

The refinements to the PCI Standards 1.2 that went into effect Oct. 1 may or may not bring a reduction in data breaches, noted Konrad. The new regulations may help QSAs and company IT workers provide better monitoring of factors that change risk levels after PCI compliance is issued.

However, “What the end user needs to know is that once compliance is attained, anything new added to the mix changes that compliance qualification. For instance, if you add a new employee or add a server, or anything that changes the assessment can cause a non-compliant state,” he explained.

A basic solution is for businesses to worry less about PCI compliance and concentrate more on their security, he said.

More Awareness

The cheapest security measure that an enterprise World Class Managed Hosting from PEER 1, Just $299. Click here. has is constant employee training and awareness of the circumstances, according to Konrad. Companies need a sound security and compliance policy adopted from the top down.

“It needs to be in the corporate DNA. In many cases it isn’t. The fundamental problem is that corporations don’t follow up,” he said.

Singletary sees a degradation of the retail infrastructure at the root of compliance problems. Companies are not keeping up to date with technology, and the industry is moving at a pace that nobody understands, she said.

The real solutions are found in being able to do real-time monitoring and the ability to check out runtime events, Singletary said.

Consumer Backlash

Ultimately, fewer data breaches may come as a result of consumer mandates. Retailers could start feeling their customers’ pain if payment card processors do not go beyond the intent of PCI regulations.

“Lots of people have their head in the sand over this. Consumers need to be up in arms over this. These security lapses will cost taxpayers higher credit and processing costs when they do card transactions,” Singletary said.

Technology News: E-Commerce: Why Do Bad Things Happen to PCI-Compliant Companies?.

TravelCLICK’s iHotelier Receives PCI Certification

 

 

 

TravelCLICK’s iHotelier Receives PCI Certification

New certification for credit card data security reinforces the hotel reservation system’s position as leading merchandizing platform

Chicago, IL (PRWEB) September 26, 2008 — TravelCLICK, the leader in hotel ecommerce solutions, announced today that the iHotelier Central Reservation System has been certified by ControlCase as meeting the payment card industry (PCI) Data Security Standards for credit card processing. iHotelier is certified for all the major credit cards including Visa, MasterCard, American Express and Discover. TravelCLICK hotel customers not only experience award-winning website design and booking engine advantages but also the confidence that guest transaction data is secured, delivering a superior online merchandizing solution.

Our clients trust us with their customers’ most precious data, their personal credit card information The PCI Data Security Standard is a multifaceted security standard developed by credit card companies. It requires service providers to comply with rigorous requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help proactively protect consumer account data in online booking transactions from fraud, hacking and other threats.

“Our clients trust us with their customers’ most precious data, their personal credit card information,” said Abhi Dhar, Chief Information Officer at TravelCLICK. “Keeping data secure is top priority and the foundation of our evolving technology solution. As the leading online merchandizing platform for hotels, our hotel customers are not only confident in our ability to help them convert more consumers, but also to ensure consumer data security.”

According to TravelCLICK’s eTRAK industry report on hotel booking performance, approximately 30 percent of transactions are direct web bookings, which require a credit card transaction over the Internet.

TravelCLICK’s iHotelier Receives PCI Certification