Tag Archives: discover

Heartland Payment Systems Reports Breach

Posted by on January 20, 2009 No comments

Credit card processing company Heartland Payment Systems disclosed today it suffered a malware attack last year. The discovery was made after officials from Visa and MasterCard reported suspicious activity involving processed card transactions.

Payments processor Heartland Payment Systems disclosed today it was hit with a malware attack last year that may have resulted in a large cache of financial data being compromised.

The company said it launched an investigation after officials at Visa and MasterCard reported suspicious activity surrounding processed card transactions. In response, Heartland enlisted forensic auditors to conduct an investigation. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network, Heartland officials said.

In a statement released today, Heartland declared the breach had been contained. The compay further added that no merchant data or cardholder social security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. None of Heartland’s check-management systems were involved either, officials added.

“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer, in the statement. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”

In the wake of the incident, Heartland has announced plans to implement a program designed to flag network anomalies in real-time and help law enforcement catch cyber-criminals. The company has also created a Web site – www.2008breach.com – to provide information about the situation. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

“Heartland apologizes for any inconvenience this situation has caused,” continued Baldwin. “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.

Based in Princeton, NJ, Heartland provides credit, debit, prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.

via eWeek.

E-mail snafu exposes names of confidential witnesses

Posted by on January 9, 2009 No comments

From the how-not-to-keep-a-secret department comes the tale of an official at U.S Attorney Patrick Fitzgerald’s office in Chicago who inadvertently e-mailed a document containing the names of more than 20 confidential witnesses in a federal probe to the media.

According to reports published by the Chicago Tribune and The Smoking Gun Web site, the snafu happened Wednesday, when a spokesman for Fitzgerald attached the document to an e-mail message announcing felony charges against individuals named John Walsh and Charles Martin. The two men were partners in a foreign-exchange futures dealer called One World Capital Group, located in the Chicago area but now defunct, that is accused of defrauding customers of US$15 million.

Included along with the 62-page complaint filed against Walsh and Martin was a one-page chart that indentified 24 sources who were mentioned only in an anonymous fashion in the complaint itself. The sources included former One World employees, customers and “other” individuals, according to a copy of the document that was posted by The Smoking Gun with the names blurred out. The document also apparently identified two investment groups that hadn’t been publicly named.

Once the error was discovered, Fitzgerald spokesman Randall Sanborn quickly sent out another e-mail asking all of the media members who received the original document to quickly destroy it, according to the two reports.

Related Content

A woman who answered the phone at Fitzgerald’s office — which currently is also involved in the high-profile corruption investigation of Illinois Gov. Rod Blagojevich — referred all questions about the e-mail snafu to Sanborn. “I have no comment about this matter,” he said via e-mail.

Such inadvertent exposures involving e-mail aren’t uncommon. In October 2007, for instance, the U.S. House ’s Committee on the Judiciary had to apologize to about 150 would-be whistle-blowers for accidentally exposing their e-mail addresses to other individuals who, like them, had used a committee Web site to secretly submit tips about alleged abuses at the Department of Justice .

That mix-up occurred when one of the committee’s clerical employees accidentally included all of the e-mail addresses in the “To” field of a message that was sent out to each tipster informing them of certain changes in access conditions. Many of the addresses contained the names of the whistle-blowers.

Earlier that same month, an e-mail glitch exposed the names, telephone numbers and other personal details of several thousand security professionals and military officers who had subscribed to a daily news roundup e-mailed by the Department of Homeland Security . That error resulted in DHS networks eventually being deluged with more than 2 million e-mails as messages from people on the distribution list were repeatedly copied to everyone else.

E-mail snafu exposes names of confidential witnesses – Network World.

Unseen communications violate PCI DSS compliance | OUT-LAW.COM

Posted by on January 9, 2009 No comments

One of the key requirements for compliance with PCI DSS (the Payment Card Industry Data Security Standard) is that organisations block all non-approved channels of communication, screen all traffic and prohibit direct routes for inbound and outbound internet traffic. The trouble is many organisations forget about the communication traffic they cannot see, ones that use highly evasive techniques and are easily able to circumvent traditional security methods used to control the network.

Today’s workforce expects instant messaging and other real-time communications tools including web conferencing, Voice over IP, and social networking to be ‘always on’, just as their predecessors viewed email.

The problem is Web 2.0 applications like IM, Skype and the chat functions within Facebook can easily traverse the network without being seen, potentially allowing credit card information to leave the organisation unauthorised. If they cannot be seen then they cannot be managed or secured, resulting in a significant risk of violating PCI compliance.

In a recent study of data collected from sixty FaceTime customers there were over 51,000 individual requests for Facebook – 30% of these were for Facebook chat. With 95% of all access requests for social networking sites being allowed by policy it is a sobering thought to those with the responsibility of compliance.

Real-time communications is big business and companies such as Yahoo!, AOL and Skype develop their applications to get as many users as possible signed up to their network, rigorously testing client applications against standard enterprise security infrastructures to ensure their application can tunnel through. Many applications use encrypted protocols, making it impossible for an Intrusion Protection System to detect or to control them.

In addition, they use peer-to-peer connections. Skype, for instance, uses a peer-to-peer connection and is encrypted end-to-end, often even tunnelling through HTTP if that is the only port that it finds open on the firewall, negating the use of a URL filtering solution to control it. Consequently, many organisations do not even realise that their users have installed real-time communications applications.

Should companies look to ban such technologies? The general consensus is no, though the jury is out on Skype (but that’s another story). Industry analysts such as Gartner say that companies should look to embrace such tools along with enterprise versions such as Microsoft OCS and Lotus Sametime. Not just for their telephony savings, but for their recognised benefit of increasing productivity and collaboration within the work place.

However, even companies implementing Unified Communications (UC) should be aware that though some management and control is provided with enterprise-grade solutions, it doesn’t natively provide everything required to comply with many regulatory standards such as the Data Protection Act, let alone compliance with PCI DSS.

In addition, a lack of standards may still see employees trying to install other client software so that they can communicate with friends not using that UC tool, often exacerbating the problem.

Fully blocking rogue communication applications requires more than a traditional firewall. The first step to take is to understand the status quo, getting a thorough understanding of what employees are currently doing on the internet. There are free tools available that provide a deep look at exactly what is traversing the enterprise network, and the results are almost always surprising. Organisations that believe they have these applications locked down tend to be amazed when they discover the actual instances of unauthorised traffic on their network. Blocking ports on the firewall and disallowing access to specific URLs doesn’t cut it anymore.

Once companies have visibility of all traffic on their networks, it is then possible to apply policies to allow or block users and for those applications such as IM that are allowed, to enforce hygiene, content filtering and compliance logging. Only then will businesses be certain that they have covered some of the basics of PCI DSS compliance.

via Unseen communications violate PCI DSS compliance | OUT-LAW.COM.

RBS WorldPay Breach Rings Alarm Bells About Acquirer Security

Posted by on December 23, 2008 1 comment

(December 23, 2008) The latest data-breach battleground has shifted to merchant-acquiring and prepaid card territory. Atlanta-based RBS WorldPay, a big acquirer owned by the Royal Bank of Scotland Group that also provides prepaid card programs, late Tuesday afternoon reported a breach of its computer system that may have compromised personal information on about 1.5 million cardholders, including the Social Security numbers of 1.1 million consumers.

The data leak affected prepaid cardholders “and other individuals,” RBS said in a news release, but the company didn’t give a breakdown other than to say the cardholders held payroll and open-loop gift cards. “Personal information associated with certain payroll cards may have been improperly accessed,” the release says. “PINs for all PIN-enabled cards have been or are being reset.” Actual fraud to date involves only 100 cards. The company did not give a loss figure.

Formerly known as RBS Lynk, RBS WorldPay said it discovered the breach Nov. 10 and notified law-enforcement agencies and banking regulators “shortly thereafter,” according the release. But the company didn’t say why it waited until Dec. 23 to report the breach publicly. Spokespersons did not return calls from Digital Transactions News. Nor did the news release say how the breach happened or when it began. “RBS WorldPay has urgently taken a number of important steps to mitigate risk in response to this situation,” the release says without giving details. RBS WorldPay said it has notified affected cardholders and posted information on its Web site.

This latest breach represents yet another worrisome development in the payment card industry’s unending war with computer intruders. While most of the attention in the past two years has focused on retailers’ lapses in securing credit and debit card data, the RBS WorldPay breach serves as a reminder of how hackers can penetrate the computer systems of a major acquirer and processor. “It’s very bad news,” says Avivah Litan, a technology and security analyst with Stamford, Conn.-based Gartner Inc. She notes that unlike retailers’ computer systems, processors’ systems connect directly to the networks of Visa Inc. and MasterCard Inc. “An attacker that breaks into a processor conceivably can get into the heart of the system,” she says, adding that a fraud-intelligence executive at a Gartner client company recently told her that attacks on acquirers and processors are increasing.

Another question raised by the breach is whether the Payment Card Industry data-security standard, or PCI, is adequate to protect acquirers/processors. While many merchants, especially small ones, don’t yet meet the PCI rules set down by the PCI Security Standards Council and enforced by the card networks, acquirers enforce the rules with their individual merchant clients and presumably are compliant themselves, Litan notes. She did not have information about the status of RBS WorldPay’s PCI compliance.

RBS WorldPay said it has called on outside experts as well as its own security professionals to investigate the breach. Those personnel are working with federal and state investigators. In the release, Ben Barone, RBS WorldPay president and chief executive, said his company “is working closely with leading computer security firms to further safeguard our system.” Barone also said “we regret any inconvenience this may cause affected individuals. We have taken important, immediate steps to mitigate risk and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from this situation.”

RBS WorldPay is offering individuals whose Social Security numbers were compromised free, one-year subscriptions to a credit-monitoring service. Gift cards that have already been purchased retain their value and can be used wherever merchants accept them. Those gift cards that had not been purchased have been deactivated and are being removed for destruction from stores as an additional precaution, RBS said.

via News.

IGT Awarded The First PCI DSS 1.2 Certification | webnewswire.com

Posted by on December 22, 2008 No comments

 

 

 

IGT Awarded The First PCI DSS 1.2 Certification

 

Submitted by newsdesk on Mon, 12/22/2008 – 19:42

IGT, a pioneer and global leader in travel technologies and services received the coveted PCI DSS 1.2 certification from leading PCI DSS QSAC, ControlCase. IGT is the first Travel BPO Organization to become PCI DSS 1.2 compliant. It has successfully met the newest version of the Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. ControlCase conducted a meticulous audit process of IGT’s security measures used in protecting e-commerce customers and their data involving travel transactions.

ControlCase awarded IGT with the PCI DSS 1.2 compliance rating after IGT met the 259 Requirements (grouped into 12 broad categories) that make up the control objectives. Data security continues to be a concern for customers making payments over the internet. IGT supports millions of travel transactions annually and enables consumers to make travel purchases in a highly secure manner both online and remotely. The PCI DSS 1.2 certification demonstrates IGT’s continued commitment to the protection and security of our B2C and B2B customer’s account data throughout the transaction process.

Vipul Doshi, CEO, IGT, stated “Our clients rely heavily on credit cards with more than 2/3rds of travel transactions occurring over the internet, it’s imperative that we maintain the highest standard of information security. Receiving the PCI DSS 1.2 further demonstrates our commitment to protecting our client’s and their customers.”

Internet security and personal information continues to be a top priority and concern of individuals transacting over the world wide web. Credit card companies impose hefty fines on companies not meeting PCI compliance requirements. Some reports indicate nearly one trillion dollars per year is spent on travel, and more than 2/3rds of those sales occur with credit cards. That coupled with the travel industry racking up more sales on the internet than any other industry and you have a recipe for serious credit card fraud, the very reason PCI DSS was implemented.

Mohit Magon, Vice President – Business Excellence stated “Achievement of PCI DSS 1.2 compliance reinforces our continuous commitment to the highest level of security standards. As an organization our people are committed to achieve excellence in whatever we do. Our proactive approach to comply with PCI DSS 1.2 standard is a testimony to our responsiveness towards the ever changing business environment and customer needs.”

IGT is the first Travel BPO company to achieve the recently updated version of the PCI DSS. Suresh Dadlani, COO, ControlCase stated “We are pleased to have worked closely with IGT on PCI DSS 1.2 certification. The compliances to the requirements of the standard are quite technically intensive and do not provide any scope for compromises. The achievement of PCI DSS 1.2 Certification in a short period of time was only possible due to the commitment at all levels and the technical competencies demonstrated by the team.”

IGT remains committed to meeting the highest security standards applicable in the information technology industry. With more than 1/3rd of the world’s travel transactions relying on IGT, its good to know your data is protected with IGT.

About IGT

InterGlobe Technologies (IGT) provides services and solutions to corporations worldwide in the areas of Business Process Outsourcing (BPO) and Information Technology (IT). IGT’s gamut of offerings spread across the entire technology spectrum. With some 2000 global employees operating in facilities located in India, North America and Europe, InterGlobe was ranked by The Great Place To Work Institute as the best travel company of India. In 2008, Deloitte and Touche recognized IGT as one of the fastest growing companies in India and The Black Book of Outsourcing ranked IGT as one of the top 5 Travel BPO companies in the world. www.igt.in

About PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a world-wide benchmark mandated by credit card companies for the protection of card holder’s identity and transaction information. It prevents credit card fraud, hacking and various other security vulnerabilities and threats. The standard was developed by major card brands including American Express, Discover Financial Services, JCB International, Master Card Worldwide and Visa International.

via IGT Awarded The First PCI DSS 1.2 Certification | webnewswire.com.

Implementing PCI-DSS: The top five issues to consider – Print Article – SC Magazine US

Posted by on December 22, 2008 No comments

Implementing PCI-DSS: The top five issues to consider

John Linkous, IT governance, risk and compliance evangelist, eIQnetworksDecember 22 2008

Talk to anyone who works for an organization that accepts, processes or even looks at a credit card, and the three letters “PCI” strike a chord of fear that is rarely seen in the IT world. While it’s true that the PCI standards – and specifically the Data Security Standard (DSS) – are rigorous mandates that require experienced security professionals to implement and maintain, achieving PCI compliance is not really rocket science. The following is a list of specific issues to consider related to PCI-DSS. This should help ensure that organizations can not only meet the letter of PCI, but actually make their systems more secure:

 

Implement a security program. Achieving and maintaining compliance with PCI-DSS are two different things. While most of the controls defined in the PCI-DSS standard are technical configurations for hosts and infrastructure devices, organizations are required to maintain these configurations once they are in place. To make that happen, organizations need at least rudimentary security processes in place to ensure that access controls are maintained, anti-malware and other countermeasures are kept up-to-date, and vulnerability assessments are conducted on a regular basis. Without a series of information security processes in place to manage security controls, it’s very easy to fall out of compliance.

Know your assets. The chain of custody around credit card data is one of the most common examples of the lowest common denominator approach to security – the weakest link dictates the likely vector of a malicious attacker. Because a typical credit card payment process can involve many different systems, it is critical to know the information systems that are part of that process, their role, and to what degree (if any) they are exposed to any part of credit card data. If an organization doesn’t have adequate security controls in place on all of these systems, they are at a higher risk of compromise.

Build and maintain a documentation library. Hand-in-hand with knowing what you have is knowing how you manage it. Documentation of all kinds – product and vendor-provided documentation, device configuration worksheets, security processes and procedures, and lists of personnel who have access to PCI data – will all be required as part of the audit process. Having up-to-date information available both for your security program personnel and your external auditors is critical to ensuring that you both maintain security and maintain compliance (which are two separate disciplines).

Awareness and training are crucial. Unfortunately, all of the technical controls in the world cannot stop an employee from inappropriately disclosing or handling cardholder data. While it’s important for organizations to implement technical controls per the PCI-DSS standard, it’s also vital that everyone who has access to cardholder data understand their roles and responsibilities related to the security of data. This includes everyone from point-of-sale personnel who physically touch the card, to DBAs and application developers who manage PCI processing systems, to third-party vendors who have access to limited cardholder information. This requires periodic training, and holding employees, contractors and vendors responsible for their exposure to the chain of custody of PCI data.

Your auditor is your friend. PCI-DSS auditors – both qualified security assessors (QSAs) and approved scanning vendors (ASVs) – exist primarily to ensure that your systems are reasonably secure. While the idea of an external auditor coming on-site to your organization to probe your IT assets and question your personnel may seem like a stress-inducing event, the fact is that even if findings are discovered in your environment, addressing these findings will make you more secure. It is important to challenge your QSA or ASV if they discover findings that you believe are incorrect, but similarly, it is equally important to listen to your auditor and address legitimate security gaps.

via Implementing PCI-DSS: The top five issues to consider – Print Article – SC Magazine US.

IT PRO | PCI’s Bob Russo: Data loss hurts brand more than a fine

Posted by on December 12, 2008 No comments

As Christmas shoppers spend away and data breaches keep hitting the headlines, the Payment Card Industry’s security council is charged with keeping customer’s data safe.

By Miya Knights, 12 Dec 2008 at 11:14

The Payment Card Industry Data Security Standard (PCI DSS) and the global forum formed to administer it, the PCI Security Standards Council (PCI SSC), pre-dated the biggest security breaches that have come to mark a new era of unprecedented cyber criminal activity.

Since card operators Visa, MasterCard, American Express, Discovery and JCB aligned their individual data security policies and created PCI DSS in 2004, the likes of TK Maxx, Cotton Traders and numerous government departments have proven the need for such regulation.

But the PCI DSS has risen up the corporate agenda ever since the threat of fines and losing the ability to process credit cards was introduced with a June 2007 deadline for those found to be non-compliant.

The standard is intended to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. And the PCI council is charged with regulating PCI DSS and communicating its importance to any organisation handling credit card data anywhere in the world.

IT PRO spoke to PCI SSC general manager, Bob Russo about the challenges faced in raising the data security agenda.

IT PRO: 2007 was big year for PCI DSS, with the passing of the payment card operators’ final deadline for compliance. What’s been going on this year?

Russo: It’s been just as busy. We released version 1.2 of the standard in October. Just prior to its release, we had our North America community meeting, which attracted 625 attendants and actually included quite a few representatives from Europe. There were a couple of days’ good debate about the development of the standard, given that we’re in a two-year cycle.

Next year will be a feedback year on how the implementation of version 1.2 has gone. And we also talked about our new QA [quality assessor] programme and got a lot of feedback on that, having kicked it off in October to maintain the quality of PCI assessments as well.

Then we had our first European meeting in Brussels with well over 200 people attending. I would say there is a lot more uptake in Europe on the standard. In fact, they are running, not walking, to comply. Reaction to the new version was good. It doesn’t really contain any surprises, but instead includes a lot of clarifications, so organisations looking to stay up to date don’t have to go back to square one to remain compliant.

It’s interesting that you observe organisations are ‘running’ to be compliant. How do you propose they keep up if, as you say, the standard is on a two-year development cycle?

My guess is that the next release in 2010 will be a 2.0. But there are a couple of things we’re doing to make sure it develops in line with the capabilities of our stakeholders. Starting in January, we’re launching research into how the standard’s specification should embody emerging technologies, like end-to-end encryption, virtualisation and secure payment tokens, that might come outside of its scope, making it easier to comply.

The study that the council is commissioning will also look into making the standard more robust and will be a major piece of what version 2.0 will be. It will help determine what can be added to or deleted from the standard to take account of new systems’ functionality, as well as how any revision might impact that new functionality.

For example, there are specific sections in the standard that sets out how credit data is to be stored. But it has to be decided that if the data being stored in a certain way, using particular technologies, whether they would be sufficient to deal with the threats to its security.

We also introduced the Payment Application (PA) DSS. And before the end of the year, we’ll be releasing two additional controls to the existing PED [PIN entry device] standard around unattended payment terminals and hardware or software host security modules.

Having had the opportunity to get feedback on the current release of the standard from merchants and card payment companies, what have been the areas that have attracted the most debate?

I wouldn’t say we’ve had any debate, so much as clarifications, as version 1.2 sought to do, along with the combination and simplification of some of the forms that have to be completed. There were some clarifications on timings and on what security components are in or outside of its scope, such routers and firewalls. But any organisation handling sensitive data has to use the security features of both. And the standard applies just as much to paper media as it does to electronic media, as another example.

Another area that was discussed was the fact that a lot of merchants have gone down the WEP security route for their wireless networks. But events at TJX and other companies have proven WEP password security is not as secure as it used to be and so we’ve set a deadline of 31 March 2009, after which there should be no new installations of WEP security. And by June 2010, there should be no WEP installations at all.

Well, I’m sure you can imagine that there were a few that weren’t too happy about that, especially as a lot of major merchants have spent a lot of time and money on their wireless networks. But even they, perhaps grudgingly, understand that WPA and WPA2 wireless security standards are far stronger. And the deadlines for transition should give everybody enough time to get ready.

So, if you are finding overall agreement over the specifications of the standard, how easy has it been to get businesses to take the threat of non-compliance seriously?

Lots of companies I meet that are getting compliant are trying to deal with not having any security standards in place at all. They are using PCI DSS as springboard to get security on the business agenda.

And in the largest, Tier 1 retailers, they have been using legacy systems that were installed 10 to 15 years ago. You have to remember that, what was available in security terms, was quite a bit less than is available now. Retrofitting these security technologies is a very delicate thing to do and costs quite a bit, and perhaps even more so in making sure it doesn’t cause any problems to the business.

This is reflected by the fact we’re looking at developing the qualified assessor programme to be a first line of support for merchants. This is exactly what the PCI council wants, why we train them and why we’ve introduced a process of remediation for assessors as well.

As for the threat of fines, I can’t comment on that as the card brands are in charge of that side of regulation. Thankfully, it hasn’t come to that. But merchants are beginning to understand that the potential damage to their brand if they are involved in a security breach could far outweigh the cost of a fine. And they are realising compliance is becoming a differentiator – that consumers can feel safer shopping with them.

How do you see the progress of PCI DSS efforts in Europe going specifically?

Europe is a little more boisterous that the US, but then it is further along in implementing the EMV chip. That’s succeeded in lowering fraud at the counter with chip and PIN. But that’s also basically succeeded in moving fraud over to CNP (card-not-present) transactions. I also think they’re not shy in addressing any issues they are facing in complying with the standard.

Generally, I think European merchants have also done a lot more work on developing their transactional systems. Within the study I mentioned that we’re launching, we’re calling the EMV chip an emerging technology. But then you guys in Europe are using it every day. I remember back in the beginning of the roll out of PCI DSS, I heard merchants in the UK saying that they’d already jumped through hoops to become compliant with chip and PIN and done stuff to make their systems more secure that we hadn’t in the US. And that’s great, but the security issues are still there. One new technology doesn’t solve the issue. And it’s just one example that reflects the work that needs to be done to make sure the standard is as robust as possible.

You’ve mentioned a major study that the council is launching in the New Year. How will it be conducted and what will it involve?

I can’t say too much about its methodology as the study is now in RFP [request-for-proposal] stage, so its scope may change. But suffice as to say, it will very strongly focus on those emerging technologies I mentioned earlier to see how they affect, or don’t affect the scope of the standard.

via IT PRO | PCI’s Bob Russo: Data loss hurts brand more than a fine.

Gartner – Visa sets Global PCI deadline

Posted by on November 21, 2008 No comments

Visa announced a global compliance program for the card industry’s key security standard. But many issues remain, including unclear European deadlines and the treatment of merchants that have chip card processing in place.

On 10 November 2008, Visa announced new global standards for compliance with the Payment Card Industry Data Security Standard (PCI DSS) designed to create a consistent worldwide framework for compliance by merchants, service providers and others. The new standards include a global set of requirements for merchants accepting Visa payments to validate compliance with PCI DSS, deadlines for the largest merchants to achieve validation, and deadlines for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data. The new deadlines and processes do not, however, apply to European merchants and service providers.

Analysis

The Visa announcement provides some much-needed clarification for the PCI DSS compliance and validation process for some merchants and service providers outside the United States. Visa merchants and service levels are aligned across most world regions, and deadlines and requirements have been set for demonstrating PCI DSS compliance. Nonetheless, several critical PCI DSS questions remain:

  • Visa deadlines and processes will be different in Europe, because Visa Europe is an independent licensee of Visa international. The absence of published deadlines for European companies leaves that region in its current confused state of PCI compliance.
  • Although Visa has once again taken the lead among card brands in moving the PCI compliance process forward, Gartner is not aware of any similar transparent global enforcement efforts or deadlines announced by American Express, Discover, JCB or MasterCard.

Moreover, many of the affected merchants and processors in the different global regions (including Latin America and Asia) — unlike their counterparts in the United States — have already spent considerable sums upgrading their infrastructure to support card brand mandates to roll out chip and personal identification number (PIN) cards. These same companies must now begin the often-costly PCI compliance process. Merchants Gartner has consulted believe they should be granted some type of compensation (in the form of reduced PCI compliance requirements or extended deadlines) for their chip and PIN support. Visa has indicated that some limited compensation is available to the largest European (Level 1) retailers, whose acquirers may, at their discretion, recategorize them to Level 2 if they have successfully deployed Europay, MasterCard and Visa (EMV) Chip and PIN, and EMV chip cards are encoded with iCVV (card verification value for integrated circuit cards).

Recommendations

Merchants and service providers:

  • Continue to focus on strengthening cardholder data security first, because PCI compliance will follow by default.
  • Begin securing your cardholder data and systems now, and do not wait for your acquiring bank to contact you about PCI compliance.

Visa Europe:

  • Publish deadlines and processes for European companies that must comply with PCI standards.

All card brands:

  • Strengthen the security of the payment system by recognizing that magnetic stripes on cards will not go away until all countries and cardholders move to chip and PIN, and by adding cardholder authentication to magnetic-stripe cards
  • Create a new Self-Assessment Questionnaire with further-reduced PCI DSS compliance requirements for merchants who have upgraded to chip and PIN infrastructure and are not storing any electronic cardholder data.

visa_sets_global_pci_deadlin_163330.pdf (application/pdf Object).

PCI Council Starts a Quality-Control Program for Assessors

Posted by on November 17, 2008 No comments

(November 17, 2008) The PCI Security Standards Council on Monday introduced a quality-assurance program for the companies that determine whether a merchant, processor, or other entity that touches credit and debit card data meets the council’s rules. The Wakefield, Mass.-based council’s aim is to ensure more uniform enforcement of the Payment Card Industry data-security standard, or PCI.

“We want to make sure it’s as level a playing field as we possibly can,” Robert Russo, general manager of the Wakefield, Mass.-based PCI Council, tells Digital Transactions News.

Participation in the program will be mandatory for PCI Council-registered Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). The council has 164 QSAs (87 in the U.S., 16 in Canada), and 145 ASVs, 74 of which also are QSAs. QSAs send assessors out to examine payment-processing systems, while ASVs scan data networks remotely.

Russo says that in launching the program, the council is responding to feedback from PCI-participating organizations and others with a stake in card security about the need for as much uniformity in PCI exams as possible—an often difficult task because determining the existence and degree of a security vulnerability, while in many cases a clear-cut matter, in others can be subjective. “It’s a people business,” Russo says.

But Russo says there was no single event that prompted the program. “It’s not a knee-jerk reaction, it’s the next logical step in the evolution of the program,” he says. The five major card networks—Visa, MasterCard, American Express, Discover, and JCB—created the council to administer and update a common set of security rules now known as PCI, though enforcement remains the responsibility of each network.

The quality-control program arrives not a moment too soon, according to Gartner Inc. analyst Avivah Litan, who researches security technology. “There have been many rumblings about the inconsistent quality of the QSAs,” she tells Digital Transactions News via e-mail. A major issue with PCI compliance is that “a retailer can get two different opinions from the same assessor within a few months,” she says. “And each change of opinion can potentially cost hundreds of thousands or even millions of dollars. Opinions issued by different assessor firms, and by even the same assessor within the same firm, are often different.” Assessors also sometimes have “knee-jerk” reactions and revisit clients they’ve recently examined if a new breach exposes a vulnerability they think should be fixed quickly, she adds.

A big part of the program involves increased monitoring of PCI compliance reports by the QSAs and ASVs. Registered firms will be required to give the council for periodic review samplings of reports, edited for client confidentiality. That will add some work for the assessors, according to Andrew Bokor, chief operating officer of Chicago-based Trustwave, one of the biggest PCI assessors. A recent Trustwave quarterly report to meet the new guidelines took two staffers two-and-a-half weeks to prepare, he says. Still, Bokor doesn’t see that work as major added task, though he says the program could be more burdensome for smaller QSAs and AVS. “For us it will not be that impactful primarily because we have a fairly rigorous QA [quality-assurance] training program to begin with,” he says.

Bokor says he doesn’t have one incident that comes to mind, but says there “have been concerns” among the larger assessment firms about “inconsistencies in the QSAs,” mostly involving the work of smaller assessors. “I don’t think there was any foul play involved,” he says.

Uneven assessment quality could be a result of inadequate training, according to Litan. “It’s very easy today to become a QSA,” she says. “The screening of these folks is severely lacking.” Russo, however, says companies are vetted when they first come into the QSA and ASV fields for experience, training, and insurance—a process repeated annually.

Besides the increased monitoring of assessor reports, Russo says council staffers will be visiting the offices of QSAs and ASVs periodically. A PCI Council release says ongoing features of the program include certification reviews, credit checks, training, educational Webinars, newsletters, a dedicated e-mail service, question-and-answer documents, informational supplements, and feedback forms. The PCI Council will roll out the program in four stages next year.

News.

PCI Webinar

Posted by on November 12, 2008 No comments

The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today announces it is offering a complimentary webinar, “Understanding PCI DSS Version 1.2,” to be held on Tuesday Nov. 25, 2008 at 11:30 a.m. EST and at 7:30 p.m. EST. The session will be repeated on Wednesday Dec. 17, 2008 at 10:30 a.m. EST and 8:30 p.m. EST.

These one hour webinars are designed for merchants and service providers who are implementing the PCI DSS and want to better understand the changes brought about with version 1.2 which was released on Oct. 1, 2008. The series and will feature Bob Russo, General Manager of the Council and Lauren Holloway, Chairperson of the Council’s Technical Working Group. During each session Mr. Russo and Ms. Holloway will address key elements of version 1.2 and what it means for any organization’s compliance efforts.

Webinar participants will discover:

– Elements of each of the 12 requirements of version 1.2;

– What has changed from version 1.1;

– Key dates for version 1.2, and

– The intent of the Council in making any changes.

To register for the 11:30 a.m. EST session on Nov, 25 click http://register.webcastgroup.com/event/?wid=0801125084404 and for the 7:30 p.m. EST session click http://register.webcastgroup.com/event/?wid=0801125084405. To register for the 10:30 a.m. EST session on Dec. 17 click http://register.webcastgroup.com/event/?wid=0801217084406 and for the 8:30 p.m. EST session click http://register.webcastgroup.com/event/?wid=0801217084407. These webinars will be recorded and available for download on the Council’s Web site for those who cannot attend any of the sessions.

For More Information:

If you would like more information about the PCI Security Standards Council or would like to become a Participating Organization please visit pcisecuritystandards.org, or contact the PCI Security Standards Council at participation@pcisecuritystandards.org.

State College Business | Centre Daily.