Tag Archives: discover

VeriFone Takes Lead in Securing Card Payments with PA-DSS – MarketWatch

Posted by on October 30, 2008 No comments

PAY 10.58, +1.27, +13.6%) , today announced an aggressive program to ensure implementation of the PCI Security Standards Council’s (PCI SSC) Payment Application Data Security Standard (PA-DSS). This program establishes a comprehensive PA-DSS compliance policy aimed at ensuring protection of cardholder information across virtually all merchant environments and all types of card acceptance devices.

VeriFone expects rapid availability of its terminal-based payment applications to meet all needs of acquirers and merchants in complying fully with the PA-DSS mandate. PC- and server-based VeriFone applications such as PAYware PC already comply with PA-DSS or its predecessor, the Visa Payment Applications Best Practices (PABP). PA-DSS is intended to ensure secure payment applications do not store prohibited data, such as full magnetic stripe, CVV2, PIN or other sensitive data, and are compliant with the PCI Data Security Standard (PCI DSS).

First published in April 2008, PA-DSS expands upon PABP to encompass card acceptance devices known as “stand-alone POS terminals,” which are commonly used by smaller “level 4″ merchants who represent the largest installed base of payment acceptance devices globally. It also encompasses consumer facing payment devices and programmable PIN pads that are connected to electronic cash registers in use at larger “level 1 and 2″ merchants.
Merchants are increasingly utilizing these systems in a manner that brings them under PA-DSS requirements, leading VeriFone to establish a universal compliance program for all of its applications used in its programmable payment acceptance devices going forward, initially targeting the US/Canada market. Because each payment application certified by each bank, processor or acquirer must now be audited, full PA-DSS compliance will result in hundreds of individual audits by qualified assessors. Auditing device-based payment applications at the supplier level will minimize the number of audits required and lower compliance costs for buyers.
“Adherence to the PA-DSS by vendors is an excellent way organizations can ensure the utmost in transaction integrity. Providing customers with only PA-DSS audited applications will help us further standardize security levels industry-wide,” said Bob Russo, general manager of the PCI Security Standards Council.
The PCI-SCC was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to enhance payment account data security by driving education and awareness of the PCI Security Standards.
“There is nothing more important to this industry than a consumer’s trust in the payment system and VeriFone applauds this bold step by the PCI SSC to create a third-party validation testing program that positively verifies compliance to the PA-DSS standard and ensures protection of sensitive cardholder information,” said VeriFone Chief Security Officer Dave Faoro. “We are taking this bold step to ensure that banks, acquirers and merchants can easily comply.”
According to the PA-DSS mandate, POS terminals that encompass payment applications must be audited by a PA-QSA laboratory unless they are utilized in very limited environments that reduce the possibility of compromise. These restrictions stipulate that the payment device should have no connection to any of the merchant’s systems or networks, that they connect to the acquirer or merchant via a private line, that they can be securely updated remotely, and that sensitive authentication data is not stored. The overwhelming majority of “stand-alone POS terminal” payment applications being certified today by leading processors no longer meet all of these usage restrictions, so therefore fall under the scope of the PA-DSS compliance mandate.

VeriFone Takes Lead in Securing Card Payments with PA-DSS – MarketWatch.

Thales joins PCI Security Standards Council

Posted by on October 28, 2008 No comments

Thales, a leader in information systems and communications security, announced today that it has joined the PCI Security Standards Council as a new participating organisation.

As a Participating Organisation, Thales will work with the Council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards.

The PCI DSS, endorsed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., requires merchants and service providers that store, process or transmit customer payment card data to adhere to information security controls and processes that ensure data integrity. More information on the council and the standard can be found at www.pcisecuritystandards.org

As a Participating Organisation, Thales will now have access to the latest payment card security standards from the Council, be able to provide feedback on the standards and become part of a growing community that now includes more than 500 organisations. In an era of increasingly sophisticated attacks on systems, adhering to the PCI DSS represents an entity’s best protection against data criminals. By joining as a Participating Organisation, Thales, is adding its voice to the process.

“The PCI Security Standards Council is committed to helping everyone involved in the payment chain protect consumer payment data,” said Bob Russo, General Manager of the PCI Security Standards Council. “By participating in the standards setting process, Thales demonstrates it is playing an active part in this important end goal.”

Paul Meadowcroft, Head of Transaction Security for the Information Systems Security activities of Thales, said: “As a leader in the provision of security solutions to the banking and finance sector, we endeavour to be at the centre of the continuous improvement of payment security standards and processes. We believe that the PCI DSS is a strong defence in the fight against data theft. By joining the PCI Security Standards Council, we are committed to advancing the understanding and adoption of PCI DSS and we look forward to collaborating with other Council membebers for the benefit of the wider industry in the future.”

Finextra: Thales joins PCI Security Standards Council

New health-care privacy laws heighten need for HIPAA compliance in California

Posted by on October 24, 2008 No comments

New health-care privacy laws heighten need for HIPAA compliance in California

Schwarzenegger signs two data privacy bills that use the federal HIPAA law as a baseline

Jaikumar Vijayan

October 7, 2008 (Computerworld) Health care organizations that operate in California have two more good reasons to be sure that they comply with the data security and privacy requirements of the federal HIPAA law.

Last week, California Gov. Arnold Schwarzenegger signed into law two pieces of legislation that significantly increase state fines for security and privacy violations involving patient health information. The bills — known as Senate Bill 541 and Assembly Bill 211 — also set new breach-disclosure standards and mandate security controls for preventing unauthorized access to patient data.

In addition, AB 211 establishes a new state Office of Health Information Integrity that will be responsible for enforcing statutes governing the confidentiality of health care data and imposing administrative fines on entities that fail to comply with the rules. Both laws were signed by Schwarzenegger last Tuesday — the same day that he vetoed a data breach bill aimed at retailers — and are scheduled to take effect on Jan. 1.

The bills significantly raise the bar on security and privacy controls for health care businesses in California, warned Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas. “The laws change the level of scrutiny, they increase penalties and fines by enormous amounts, they have mandatory reporting requirements and they allow individuals to sue,” MacKoul said.

And, he noted, the statutes are likely to put more pressure on companies in California to comply with the Health Insurance Portability and Accountability Act (HIPAA), whose privacy and security provisions took effect in 2003 and 2005, respectively. HIPAA mandates many of the same controls on data as the new California laws do, but it has yet to be broadly enforced by the federal government.

“The state is using HIPAA as the floor, saying it has been so many years since HIPAA went into effect that you needed to have complied with it a long time ago,” MacKoul said. As state statutes, SB 541 and AB 211 don’t directly require health care organizations to comply with the HIPAA regulations — but in effect, that is what they will end up doing, he added.

The new California laws also come at a time when more attention is finally being paid to HIPAA enforcement at the federal level. Earlier this year, for instance, the U.S Department of Health and Human Services imposed a $100,000 settlement on Seattle-based Providence Health & Services and forced the health care provider to adopt a stringent “corrective action plan” in response to what HHS described as potential HIPAA violations.

The so-called resolution agreement — the first of its kind to be signed under HIPAA — stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients during 2005 and 2006. The settlement stemmed from only the second known HIPAA audit conducted by HHS, following one last year at Piedmont Hospital in Atlanta. But the deal with Providence was widely seen in the health care industry as a sign that HHS would step up its enforcement actions going forward.

In California, SB 541 (download PDF) was sponsored by the California Department of Public Health (CDPH) and is aimed at stemming the increasing number of breaches involving patient health data in the state, according to an analysis of the bill by consultants for the State Assembly’s Committee on Health. Previously, there were no specific penalties or administrative actions available for the state to use against organizations that failed to prevent unauthorized access, use and disclosure of patient data, the analysis noted.

The new law amends and adds to sections of the California Health and Safety Code. One of the most significant changes is the addition of a requirement that covered entities take steps to prevent unauthorized access to patient health data — not just “unlawful” access, as was the case previously.

The change in terminology means that health care organizations will need to implement controls not just to protect information from malicious outsiders, but also to guard against misuse of data by employees who have access to systems as part of their job responsibilities, MacKoul said.

For instance, the consultants who wrote the analysis of SB 541 for the Committee on Health pointed to an incident at the University of California, Los Angeles, earlier this year in which a former UCLA Medical Center employee was charged with illegally accessing the confidential medical records of 939 individuals — including Maria Shriver, Schwarzenegger’s wife, and about 30 other celebrities. And that employee was just one of 127 workers at UCLA who allegedly snooped into data files without authorization.

SB 541 specifically requires covered businesses — such as licensed clinics, health facilities, home health agencies and hospices — to implement physical, technical, administrative and procedural safeguards for preventing unauthorized and unlawful access to patient data and for monitoring employee access to the data. The new law gives the CDPH authority to impose fines of up to $25,000 for each patient whose medical information may have been accessed, used or disclosed in an unauthorized manner.

Health care organizations also face administrative penalties of up to $100,000 — or four times the previous maximum of $25,000 — for data privacy and security violations that potentially put patients at immediate risk of injury or death. And SB 541 includes a new disclosure rule, under which any breaches must be disclosed both to the affected patients and the CDPH within five days of being discovered. Organizations that fail to do so can be fined $100 per violation for each day they are late, up to a maximum of $250,000.

Importantly, SB 541 also allows the CDPH to refer entities that aren’t compliant with HIPAA to the new Office of Health Information Integrity for enforcement under the provisions of AB 211. That bill, which is an amended version of an earlier measure (download PDF), also requires health care organizations to “reasonably safeguard” patient data from unauthorized access.

Like SB 541, AB 211 was sponsored by the CDPH and provides for a range of fines to be assessed against violators, starting from $2,500 to $25,000 per violation for organizations that negligently disclose patient records. People or companies that illegally use medical information for financial gain face fines of up to $250,000 per violation.

In addition, AB 211 allows individuals to take legal action against covered entities and licensed health professionals for failing to adequately protect their medical data. Patients can claim up to $1,000 in damages under the law, even if a data exposure caused no harm them.

New health-care privacy laws heighten need for HIPAA compliance in California.

Fraud Ring Funnels Data From Cards to Pakistan – WSJ.com

Posted by on October 13, 2008 No comments

European law-enforcement officials uncovered a highly sophisticated credit-card fraud ring that funnels account data to Pakistan from hundreds of grocery-store card machines across Europe, according to U.S. intelligence officials and other people familiar with the case.

Specialists say the theft technology is the most advanced they have seen, and a person close to British law enforcement said it has affected big retailers including a British unit of Wal-Mart Stores Inc. and Tesco Ltd.

The account data have been used to make repeated bank withdrawals and Internet purchases, such as airline tickets, in several countries including the U.S. Investigators haven’t pinpointed the culprits. Early estimates of the losses range of $50 million to $100 million, but the figure could grow, said the person close to British law enforcement.

The scheme uses untraceable devices inserted into credit-card readers that were made in China.

The devices selectively send account data by a wireless connection to computer servers in Lahore, Pakisan, and constantly change the pattern of theft so it is hard to detect, officials say.

“Pretty small but intelligent criminal organizations are pulling off transnational, multicontinent heists that only a foreign intelligence service would have been able to do a few years ago,” said Joel F. Brenner, the U.S. government’s top counterintelligence officer.

U.S. intelligence officials, including senior National Security Agency officials, are monitoring the case, in part because of its ties to Pakistan, which has become home to a resurgent al Qaeda.

The scheme comes on the heels of the August indictment of a fraud ring that stole more than 40 million credit-card numbers from U.S. companies, including TJX Cos., the parent company of TJ Maxx.

In March, security officials at MasterCard Inc. saw a pattern of potential fraud in northern England. Meanwhile, a security guard at a U.K. grocery store noticed suspicious static on his cellphone and alerted authorities. Scotland Yard learned of the report and eventually connected it with the warning from MasterCard, according to the person close to British law enforcement.

Examining the store’s credit-card readers, investigators discovered a high-tech bug tucked behind the motherboard. It was small card containing wireless communication technology.

The bug would read an individual’s card number and the corresponding personal identification number, then package and store the data. The device would once a day call a number in Lahore to upload the data to servers there and obtain instructions on what to steal next.

A MasterCard spokesman declined to discuss details of the case but said safeguarding financial information is a top priority for the company.

There is no obvious visual indication that a machine has been altered, but those with the bugs weigh about four ounces more. For the past several months, teams of investigators have been weighing thousands of machines across Europe with a precision scale.

So far, investigators have found hundreds of machines in at least five countries: Britain, Ireland, Belgium, the Netherlands and Denmark. They have turned up at European grocery chains including Asda, which is owned by Wal-Mart; Tesco; and J Sainsbury PLC, according to the person close to British law enforcement.

A spokeswoman for Asda said, “It’s subject to a police investigation, so we can’t comment.” A spokeswoman for Sainsbury denied its stores were hit by the scheme. A spokeswoman for Tesco said: “We’re aware that this was an issue for retailers.” She said Tesco tested its devices and is confident they are now secure.

The device can be told to copy certain types of transactions — for example, five Visa platinum cards or every tenth transaction. It can also be instructed to go dormant to evade detection. On average, only five to 10 card numbers would be phoned in to Pakistan, the person close to British law enforcement said.

Write to Siobhan Gorman at siobhan.gorman@wsj.com

Fraud Ring Funnels Data From Cards to Pakistan – WSJ.com.

TravelCLICK’s iHotelier Receives PCI Certification

Posted by on October 10, 2008 No comments

 

 

 

TravelCLICK’s iHotelier Receives PCI Certification

New certification for credit card data security reinforces the hotel reservation system’s position as leading merchandizing platform

Chicago, IL (PRWEB) September 26, 2008 — TravelCLICK, the leader in hotel ecommerce solutions, announced today that the iHotelier Central Reservation System has been certified by ControlCase as meeting the payment card industry (PCI) Data Security Standards for credit card processing. iHotelier is certified for all the major credit cards including Visa, MasterCard, American Express and Discover. TravelCLICK hotel customers not only experience award-winning website design and booking engine advantages but also the confidence that guest transaction data is secured, delivering a superior online merchandizing solution.

Our clients trust us with their customers’ most precious data, their personal credit card information The PCI Data Security Standard is a multifaceted security standard developed by credit card companies. It requires service providers to comply with rigorous requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help proactively protect consumer account data in online booking transactions from fraud, hacking and other threats.

“Our clients trust us with their customers’ most precious data, their personal credit card information,” said Abhi Dhar, Chief Information Officer at TravelCLICK. “Keeping data secure is top priority and the foundation of our evolving technology solution. As the leading online merchandizing platform for hotels, our hotel customers are not only confident in our ability to help them convert more consumers, but also to ensure consumer data security.”

According to TravelCLICK’s eTRAK industry report on hotel booking performance, approximately 30 percent of transactions are direct web bookings, which require a credit card transaction over the Internet.

TravelCLICK’s iHotelier Receives PCI Certification