PCI

PCI compliance in the cloud decoded

PCI compliance in the cloud decoded

As interest in the public cloud remains strong, a security expert makes sense of new recommendations for securing payment card data in those environments.

Hotel tech trade association offers best practices for reducing payment card risk

Hotel tech trade association offers best practices for reducing payment card risk

By

When it comes to credit card fraud, the hospitality industry has offered an attractive target for cyber criminals. Now, one trade group is helping these properties overcome security and compliance hurdles with a new framework.

PCI e-commerce guidance issued for merchants

By

The council charged with administering the PCI standard has documented common vulnerabilities in online payment environment and offered suggestions for installing technology to deter threats.

Threats can originate close to home

Threats can originate close to home

The Payment Card Industry Security Council is working to foster greater PCI expertise across the industry.

Making peace with the cloud and BYOD

Making peace with the cloud and BYOD

If there are two trends that have created a multitude of issues for security professionals, they're cloud services and bring-your-own-device. But there are ways to manage them.

Global Payments working to again validate its PCI compliance

By

For the first time, breached processor Global Payments disclosed on Tuesday that a number of card brands have removed the company from their approved list of service providers.

MasterCard announces product future around EMV

By

The EMV standard, widely considered an effective way to curb counterfeit card fraud because it requires a microchip to be embedded in a credit or debit card or on a mobile device, is gradually picking up steam in the U.S.

Campus relief: Kilgore College and Viewfinity

Campus relief: Kilgore College and Viewfinity

By

A community college in Texas found a tool that enabled it to fend off viruses while coming into compliance, reports Greg Masters.

Visa advises on more secure credit card transactions

By

Visa has issued best practices that detail how retailers, card issuers and processors can upgrade their credit card transaction technology to a chip-based model, so to avoid burdensome complexity, cost and time to market.

Secret Service charges Romanian man with ATM fraud

By

A Romanian citizen, with an expired U.S. visa, has been arrested on charges of serving as the "installer" of skimming devices on some 40 ATMs in the New York City area.

Hackers steal 200,000 card numbers from wholesaler

By

Hackers breached the systems of New York-based food services wholesaler Restaurant Depot, and stole hundreds of thousands of credit and debit card numbers.

PCI Council releases tokenization guidance

By

Tokenization solutions can simplify the requirements of PCI DSS by taking systems that no longer contain sensitive credit card numbers out of scope, according to a new guidance document from the PCI Council.

PCI Council revokes company's QSA status

By

The PCI Security Standards Council last week revoked CSO's Qualified Security Assessor (QSA) and Payment Application Qualified Security Assessor (PA-QSA) status.

Views regarding PCI compliance are mostly positive

By

A new survey from Cisco reveals that organizations are getting better at handling their obligations to meet payment industry security guidelines.

PCI Council releases guidance on emerging technologies

By

The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Tuesday issued two new guidance documents assessing the impact of emerging data security technologies on payment card security. One paper focuses on point-to-point encryption (P2PE), also commonly known as end-to-end encryption, an emerging technology used to mask cardholder data from point-of-swipe through processing. Properly implemented, P2PE will allow merchants to reduce their scope in complying with the PCI DSS, according to the document. A separate guidance document is focused on EMV, a global standard for authenticating credit and debit card payments. EMV and PCI DSS should complement each other and not be seen as competing standards, according to the PCI Council. — AM

Is the United States the weakest link when it comes to credit card security?

Is the United States the weakest link when it comes to credit card security?

Nations abroad may be forging ahead of the United States in terms of offering consumers enhanced cardholder protection, but the decision to move toward technology such as chip-and-PIN is not always cut and dry.

PCI Council: P2PE simplifies PCI DSS compliance

By

The group responsible for managing payment security rules plans to release two new guidance documents early next month assessing the impact of emerging data security technologies on payment card security.

HP to buy ArcSight for $1.5 billion

By

Another IT security company was gobbled up by an IT bellwether when HP on Monday announced plans to acquire Cupertino, Calif.-based SIEM provider ArcSight for $1.5 billion.

Visa releases best practices for installing payment apps

By

Visa on Tuesday announced best practices for companies to use when implementing, installing and managing programs that process payment applications. The guidance will complement the existing Payment Application Data Security Standard (PA-DSS), which prescribes 14 requirements for software developers that build programs that process credit card payments. The Visa payment application best practices, developed in conjunction with the SANS Institute, include 10 guidelines and can be downloaded here. They are meant for vendors, integrators and resellers. — DK

Wal-Mart considers chip-and-PIN

By

Wal-Mart is reportedly about to institute smartcard-based payment at all its U.S.-based stores. A company spokesman revealed this week, according to reports, that payment terminals capable of recognizing chip-and-PIN technology could soon replace signature-based credit card transactions. The move by the world's largest retailer could force other merchants, card issuers and processors to migrate to chip-and-PIN technology, said experts. The system, which uses an embedded chip to verify the card is legitimate, is thought to be significantly safer than traditional magnetic stripe cards, but the cost of adopting the system, widely used in Europe and other countries, has delayed implementation. - GM

PCI Council releases new PIN security standard

By

The group responsible for managing payment security rules has released version 3.0 of the PIN Transaction Security (PTS) standard. The new version replaces the PIN Entry Device (PED) standard in an effort to streamline point-of-sale security guidelines to also cover unattended payment terminals, such as fuel dispensers, and hardware security modules, which are nonuser facing devices used in PIN translations. The update "simplifies the testing process and eliminates overlap of documentation," according to the PCI Security Standards Council. The council also plans to release updates to its Payment Application Data Security Standard and flagship PCI Data Security Standard later this year. — DK

New PCI internal assessor training program

By

The PCI Security Standards Council, tasked with managing the Payment Card Industry Data Security Standard (PCI DSS), on Friday announced a new training program designed to educate internal security personnel on conducting assessments. The three-day course, to be led by PCI Council experts, either will enable security departments to better work with with third-party assessors or allow them to conduct their own assessments, Bob Russo, the council's general manager, told SCMagazineUS.com. Merchants that process more that six million annual transactions are required to conduct annual on-site PCI DSS assessments. Classes will be held in multiple locations. For more information, including pricing, visit here. — DK

Law to allow banks to recoup breach losses

By

A new Washington state law set to go into effect July 1 will allow banks to recoup certain data breach losses from negligent businesses. Under the new law, passed by the state Legislature in late March, financial institutions can seek reimbursement from large retailers and credit card processors that have suffered a data breach — if they failed to comply with the Payment Card Industry Data Security Standard (PCI DSS). The new law is similar to a Minnesota statute passed in 2007. — AM

Two-day SC Magazine PCI econference continues today

By

Join us Tuesday and Wednesday for our special two-day SC eConference and Expo: Complying with PCI.

Forty percent using compensating controls to meet PCI

By

Forty-one percent of merchants are relying on compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements, according to a survey released Monday by the Ponemon Institute and commissioned by encryption firm Thales. The survey, which polled 155 qualified security security assessors, who are charged with confirming a company's adherence to PCI. Compensating controls "may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints," according to the PCI Security Standards Council. — DK

Why intrusion prevention systems fail to protect web applications

There is overwhelming evidence in reports such as the SANS Top Cyber Security Risks and the Verizon Data Breach Investigation Report that web applications are the Achilles' heel of most networks and criminals know it. In order to protect web applications, the network security paradigm has to shift from "Keep People Out" to "What Are They Doing?" and the IT infrastructure spending needs to follow suit.

Bruce Rutherford named chair, PCI Security Standards Council

By

Bruce Rutherford of MasterCard was named chairperson today of The PCI Security Standards Council, an organization that drives education and awareness of the PCI Data Security Standard and other best practices to increase payment data security. In the position, Rutherford, who is group head, fraud management solutions, payment system integrity at MasterCard, is charged with increasing adoption of the PCI standards and to refine the next version. - GM

The death of security assessments?

The death of security assessments?

After breaches such as at Heartland Payment Systems, the time may have come for organizations to stop relying on security assessments in favor of potentially more effective risk management tactics.

Lawsuit against BJ's over 2004 breach dismissed

By

The Massachusetts Supreme Judicial Court last week affirmed a lower court ruling dismissing a case against BJ's Wholesale Club over a 2004 breach.

PCI Council examines merits of new technologies

By

Merchants, desiring an easier path to PCI compliance, may soon be encouraged to consider a number of nascent technologies that can help protect cardholder data.

Sign up to our newsletters

POLL