Today, OWASP has released an updated report capturing the top ten risks associated with the use of web applications in an enterprise. This colorful 22 page report is packed with examples and details that explain these risks to software developers, managers, and anyone interested in the future of web security. Everything at OWASP is free and open to everyone, and you can download the latest OWASP Top 10 report for free at:
via OWASPTop10-2010-PressRelease – OWASP.
The PCI Security Standards Council is studying a number of emerging technologies and plans to issue a guidance document on end-to-end encryption when it releases the next version of the PCI Data Security Standards (PCI DSS), due out in October. Bob Russo, general manager of the PCI Council, said researchers are preparing documentation on what he calls the latest industry “big buzz word.” Other technologies being studied include the use of tokenization and chip and PIN technologies to protect credit card data and how virtualization affects data protection technologies. In this interview, conducted at the recent 2010 RSA Security Conference, Russo explains whether the next version of PCI DSS will have any major changes and why the Council takes a cautious approach to adding changes to the standard.
via PCI Council readying end-to-end encryption guidance.
The Payment Card Industry data security standards, which influence design of networks where sensitive payment-card account data is stored, are expected to be further revised by the PCI Security Standards Council over the next few months.
Bob Russo, general manager of the PCI Security Standards Council, says that by early summer the organization expects to be able to issue a summary for a new PCI standard, which would go into effect in about October.
via PCI Security Standards Council readying new payment-card security standard.
PCI Security Standards Council general manager Bob Russo said the next revision of the Payment Card Industry Data Security Standard (PCI DSS), due in October, will contain clarifications but no major changes to the standard.
via No major PCI DSS revision expected in 2010.
MasterCard’s decision to reverse itself on its end of year 2010 deadline for new Level 2 PCI requirements was not based on retail complaints or on avoiding the hectic holiday period for merchants, according to a key MasterCard manager heading up the effort. Instead, the change was based on giving retailers more time to work with a new PCI training program, he said.
via StorefrontBacktalk » Blog Archive » MasterCard: December PCI Deadline Change Not For Holiday Conflict.
The Health Insurance Portability and Accountability Act (HIPAA) allows CVS Caremark access to information on patients covered by its pharmacy benefit manager for administering claims and other limited purposes. Company letters collected by NCPA document CVS Caremark tapping into personal medical histories for marketing purposes, such as to urge patients to switch an existing prescription from their independent community pharmacy to a CVS retail or Caremark mail order pharmacy. A redacted example letter can be found here
via Pharmacists and Consumer, Privacy Advocates Urge Feds to Investigate CVS Caremark for Alleged HIPAA Violations.
More than 95% of call centres were found to store customers’ credit card details in recordings of phone conversations in breach of industry rules, according to a survey conducted by a call recording technology company.
Veritape said that when it talked to 133 call centre managers, only 39% of them knew about industry rules against the storing of the information and just 3% of them wiped credit card numbers from recordings of phone calls. Veritape provides call recording services to the call centre industry.
via Survey: Call centre data standards ‘routinely ignored’ • The Register.
Heartland relationship managers were told that PCI compliance was not a big deal. One of Heartland’s relationship managers resigned on or around April 23, 2009, in part because of Heartland’s statements regarding its PCI compliance
via StorefrontBacktalk » Blog Archive » Lawsuit: A Heartland Manager Resigned Because Of PCI Compliance Issues.
A mere seven per cent of respondents to a survey on data management believed data loss has a “high” impact on a business.
via IT managers under-estimate the impact of data loss: survey – Network World.
In response to a letter from several retail trade associations suggesting changes in PCI (Payment Card Industry) data security standards, the PCI Security Standards Council here invited the trade groups to participate in the feedback process beginning on July 1 to shape the next version of the standard.
“We encourage all Participating Organization stakeholders, including the letter’s authors, to actively participate in that feedback process,” said Bob Russo, general manager of the PCI Security Standards Council. “We appreciate the input from these industry associations and we do encourage those that are not formal Council stakeholders to join up and become active participants, lending practical security expertise — along with their ideas — to evolve payment data security standards.”
via PCI Security Standards Council Invites Industry Feedback.