Regulatory changes are coming for the payment-card industry, say leaders of the PCI Security Standards Council, which is responsible for developing and implementing security standards for cardholder data protection.

The council, which has about 500 participants, just completed the annual process of electing its board of advisors. Cisco and Citrix Systems were among the victorious candidates this week, winning a combined 14 elected positions on the 21-member advisory board, which will be providing feedback on upcoming initiatives.

Among these initiatives are possible new requirements around the use of virtualization and wireless technologies, as well as more definitive answers on how to “scope,” or set the limits of, a PCI assessment.

Still unclear is whether the council will back the concept of end-to-end encryption as a way for the industry to help fight payment-card fraud, such as the breach that struck Heartland Payment Systems earlier this year.

Continue reading the article …

Advertisements

As retailers shut down and liquidate their point of sale systems, guess what else they’re selling?

Without question, 2008 was an eventful year for major financial institutions, with massive losses, questions of solvency and, ultimately, government bailouts now totaling over a trillion dollars. The corporate fire sales, downsizing and mergers now commonplace in the financial industry are a cause for not only serious concern about the health of our economy, but also concerns relating to the security of personal and financial data. With companies being sold and mergers taking place, and on such tight deadlines, mistakes regarding the confidentiality and privacy of the data are likely being made every day. Significant risk is increasing for personally identifiable information entrusted to these firms.

Continue reading ….

Former CISO and Symantec strategic consulting director Ariel Silverstone goes through PCI DSS line by line and offers suggestions to make it more effective

There’s no doubt that the mere existence of a uniform policy — adopted, recommended and even mandated by such firm rivals as American Express, Visa and MasterCard — is a huge step forward.

Before the existence of PCI DSS, it was hard to find two banks that agreed on the same standards, or a merchant that could comply with (at times contradictory) requirements by the major payment industry players.

PCI does make things better, easier, and more understandable. Unfortunately, as is commonly the case on these electronic shores, it does the minimum needed — and sometimes not even that — in its approach.

Continue reading …

Visa gives payment services provider the green light following 2008 megabreach

Heartland Payment Systems, which exposed the personal information of millions of credit card customers in a major data breach last year, has been given its PCI compliance back.

Continue reading the article …

While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve small merchants – defined as Level 4 by the Payment Card Industry (PCI) Data Security Standard (DSS). More than 6 million small merchants are doing business in North America; fewer than 5 percent have attested to compliance with the PCI DSS.

These are potentially costly statistics for acquirers, who ultimately shoulder the monetary burden should their merchants experience breaches.

Beyond their abundance, Level 4 merchants carry unique challenges. Acquirers can reduce their overall risk and dramatically improve compliance rates among these merchants by overcoming four often-overlooked pitfalls when designing their PCI compliance programs.

Continue reading the article

HIPAA, GLBA, PCI, Sarbanes-Oxley, and PCI compliance violations uUncovered through five-day Secure Assessment Program in Q1 2009
Palisade Systems, a leading provider of data loss prevention products and services, announced today the quarterly results of their 5-Day Secure Assessment Program. From January through March 2009, Palisade’s PacketSure data loss prevention appliance uncovered over 525,000 compliance violations.

Continue reading the article