PCI News, Articles and Updates
As interest in the public cloud remains strong, a security expert makes sense of new recommendations for securing payment card data in those environments.
When it comes to credit card fraud, the hospitality industry has offered an attractive target for cyber criminals. Now, one trade group is helping these properties overcome security and compliance hurdles with a new framework.
The council charged with administering the PCI standard has documented common vulnerabilities in online payment environment and offered suggestions for installing technology to deter threats.
The Payment Card Industry Security Council is working to foster greater PCI expertise across the industry.
For the first time, breached processor Global Payments disclosed on Tuesday that a number of card brands have removed the company from their approved list of service providers.
The EMV standard, widely considered an effective way to curb counterfeit card fraud because it requires a microchip to be embedded in a credit or debit card or on a mobile device, is gradually picking up steam in the U.S.
A community college in Texas found a tool that enabled it to fend off viruses while coming into compliance, reports Greg Masters.
Visa has issued best practices that detail how retailers, card issuers and processors can upgrade their credit card transaction technology to a chip-based model, so to avoid burdensome complexity, cost and time to market.
A Romanian citizen, with an expired U.S. visa, has been arrested on charges of serving as the "installer" of skimming devices on some 40 ATMs in the New York City area.
Hackers breached the systems of New York-based food services wholesaler Restaurant Depot, and stole hundreds of thousands of credit and debit card numbers.
Tokenization solutions can simplify the requirements of PCI DSS by taking systems that no longer contain sensitive credit card numbers out of scope, according to a new guidance document from the PCI Council.
The PCI Security Standards Council last week revoked CSO's Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA) status.
A new survey from Cisco reveals that organizations are getting better at handling their obligations to meet payment industry security guidelines.
The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Tuesday issued two new guidance documents assessing the impact of emerging data security technologies on payment card security. One paper focuses on point-to-point encryption (P2PE), also commonly known as end-to-end encryption, an emerging technology used to mask cardholder data from point-of-swipe through processing. Properly implemented, P2PE will allow merchants to reduce their scope in complying with the PCI DSS, according to the document. A separate guidance document is focused on EMV, a global standard for authenticating credit and debit card payments. EMV and PCI DSS should complement each other and not be seen as competing standards, according to the PCI Council. — AM
Nations abroad may be forging ahead of the United States in terms of offering consumers enhanced cardholder protection, but the decision to move toward technology such as chip-and-PIN is not always cut and dry.
The group responsible for managing payment security rules plans to release two new guidance documents early next month assessing the impact of emerging data security technologies on payment card security.
Another IT security company was gobbled up by an IT bellwether when HP on Monday announced plans to acquire Cupertino, Calif.-based SIEM provider ArcSight for $1.5 billion.
Visa on Tuesday announced best practices for companies to use when implementing, installing and managing programs that process payment applications. The guidance will complement the existing Payment Application Data Security Standard (PA-DSS), which prescribes 14 requirements for software developers that build programs that process credit card payments. The Visa payment application best practices, developed in conjunction with the SANS Institute, include 10 guidelines and can be downloaded here. They are meant for vendors, integrators and resellers. — DK
Wal-Mart is reportedly about to institute smartcard-based payment at all its U.S.-based stores. A company spokesman revealed this week, according to reports, that payment terminals capable of recognizing chip-and-PIN technology could soon replace signature-based credit card transactions. The move by the world's largest retailer could force other merchants, card issuers and processors to migrate to chip-and-PIN technology, said experts. The system, which uses an embedded chip to verify the card is legitimate, is thought to be significantly safer than traditional magnetic stripe cards, but the cost of adopting the system, widely used in Europe and other countries, has delayed implementation. - GM
The group responsible for managing payment security rules has released version 3.0 of the PIN Transaction Security (PTS) standard. The new version replaces the PIN Entry Device (PED) standard in an effort to streamline point-of-sale security guidelines to also cover unattended payment terminals, such as fuel dispensers, and hardware security modules, which are nonuser facing devices used in PIN translations. The update "simplifies the testing process and eliminates overlap of documentation," according to the PCI Security Standards Council. The council also plans to release updates to its Payment Application Data Security Standard and flagship PCI Data Security Standard later this year. — DK
The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Friday announced a new training program designed to educate internal security personnel on conducting assessments. The three-day course, to be led by PCI Council experts, either will enable security departments to better work with with third-party assessors or allow them to conduct their own assessments, Bob Russo, the council's general manager, told SCMagazineUS.com. Merchants that process more that six million annual transactions are required to conduct annual on-site PCI DSS assessments. Classes will be held in multiple locations. For more information, including pricing, visit here. — DK
A new Washington state law set to go into effect July 1 will allow banks to recoup certain data breach losses from negligent businesses. Under the new law, passed by the state Legislature in late March, financial institutions can seek reimbursement from large retailers and credit card processors that have suffered a data breach — if they failed to comply with the Payment Card Industry Data Security Standard (PCI DSS). The new law is similar to a Minnesota statute passed in 2007. — AM
Join us Tuesday and Wednesday for our special two-day SC eConference and Expo: Complying with PCI.
Forty-one percent of merchants are relying on compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements, according to a survey released Monday by the Ponemon Institute and commissioned by encryption firm Thales. The survey, which polled 155 qualified security security assessors, who are charged with confirming a company's adherence to PCI. Compensating controls "may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints," according to the PCI Security Standards Council. — DK
There is overwhelming evidence in reports such as the SANS Top Cyber Security Risks and the Verizon Data Breach Investigation Report that web applications are the Achilles' heel of most networks and criminals know it. In order to protect web applications, the network security paradigm has to shift from "Keep People Out" to "What Are They Doing?" and the IT infrastructure spending needs to follow suit.
Bruce Rutherford of MasterCard was named chairperson today of The PCI Security Standards Council, an organization that drives education and awareness of the PCI Data Security Standard and other best practices to increase payment data security. In the position, Rutherford, who is group head, fraud management solutions, payment system integrity at MasterCard, is charged with increasing adoption of the PCI standards and to refine the next version. - GM
After breaches such as at Heartland Payment Systems, the time may have come for organizations to stop relying on security assessments in favor of potentially more effective risk management tactics.
The Massachusetts Supreme Judicial Court last week affirmed a lower court ruling dismissing a case against BJ's Wholesale Club over a 2004 breach.
Merchants, desiring an easier path to PCI compliance, may soon be encouraged to consider a number of nascent technologies that can help protect cardholder data.
Sixty percent of IT security professionals polled in a recent study said their organization does not have sufficient resources to become PCI compliant.
SC Magazine Articles
- GCHQ infosec group disclosed kernel privilege exploit to Apple
- Update: 117 million LinkedIn email credentials found for sale on the dark web
- Adobe Flash remains threat as users fail to update, researchers
- 2.5K Twitter accounts hacked to spread links to adult content
- Variant of Cerber ransomware features bot capabilities that could launch DDoS attacks
- Some U.S. Bancorp workers' W-2 info exposed in ADP data breach
- Spearphishing attack nets $495K from investment firm
- Updated: Gmail, Yahoo email credentials among millions found on the dark web
- Organizations need formal vendor risk management programs, study
- PCI DSS version 3.2 release extends multifactor authentication requirement
- Latest Flash Exploit being used to create drive-by ransomware attack
- Russian bank app changes password when users attempt removal
- Credit card skimmers detected in Walmart stores
- Report: DHS intelligence unit lacks "adequate oversight" for continuity capabilities
- Update: 117 million LinkedIn email credentials found for sale on the dark web