Mar 14 2014

Hacking Point of Sale

Category: cyber security,data securityDISC @ 9:28 am

Hacking Point of Sale

A hands-on guide to achieve better security at point of sale

Hacking Point of Sale – A must-have guide for those responsible for securing payment card transactions. Hacking Point of Sale is a book that tackles the issue of payment card data theft head on. It covers issues from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and much more.

Packed with practical recommendations, it goes beyond covering PCI DSS compliance to offer real-world solutions on how to achieve better security at point of sale.

Hacking Point of Sale…

•A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
•Explores most of the major groups of security standards applicable to point of sale, including PCI, FIPS, ANSI, EMV, and ISO
•Details how protected areas are hacked and how hackers notice vulnerabilities.
•Highlights ways of defending against attack, such as introducing cryptography to payment applications and hardening application code

An essential guide for security professionals that are charged with addressing security issues with point of sale systems.

Tags: debit card, Information Security, Payment card industry, Payment Card Industry Data Security Standard, Point of sale


Nov 27 2012

PCI Risk Assessment Tips Offered

Category: pci dssDISC @ 11:18 am

 

A credit card, the biggest beneficiary of the ...

A credit card, the biggest beneficiary of the Marquette Bank decision (Photo credit: Wikipedia)

Council Issues Guidelines to Address Security Shortcomings

In its just-released guidelines for ongoing risk assessments, the Payment Card Industry Security Standards Council notes three specific areas for improvement.

The guidelines, which are intended for any organization that handles credit or debit card data, offer specific recommendations for risk assessments, such as how to create an internal risk-assessment team and address risk reporting.

But Bob Russo, general manager of the PCI Council, points out that card data is only as secure as the weakest link in the payments chain. Compliance with PCI-DSS is the responsibility of all organizations and businesses that handle card data, he stresses. They must ensure that all links in the payments chain keep card-data protections up-to-date.

“The standard requires an annual risk assessment, because the DSS validation is only a snapshot of your compliance at a particular point in time,” Russo says.

Requirement 12.1.2 of the PCI-DSS states that any organization that processes or handles payment cards must perform a risk assessment at least annually. The PCI Council’s new recommendations include the need for:

  • A formalized risk assessment methodology that fits the culture of the organization;
  • A continuous risk assessment process that addresses emerging threats and vulnerabilities;
  • An approach that uses risk assessments to complement, not replace, ongoing PCI Data Security Standard compliance.

While the PCI Council does not enforce compliance, merchants, processors and others found to be out of PCI compliance after a breach or some other event will likely face steep fines from the card networks.

“Performing a risk assessment at least annually will help you identify the security gaps and address them,” Russo says. “The council received a lot of requests for clarity here. We hope the guidelines help them in their efforts to establish an annual process.”

To find out how to identify and address common threats in a risk assessment by Tracy Kitten …

Tags: Payment card, Payment card industry, Payment Card Industry Data Security Standard, PCI Council, pci dss, Risk Assessment


Nov 19 2012

PCI view of Risk Assessment

Category: pci dss,Security Risk AssessmentDISC @ 11:02 pm
Information Security Wordle: PCI DSS v1.2 (try #2)

 

Organizations that need to comply with PCI-DSS need to create their own risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).

PCI Risk Assessment Special Interest Group says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.

 
Key recommendations include:
 
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
 
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
 
• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization

PCI view of things: 

The announcement
https://www.pcisecuritystandards.org/pdfs/pr_121116_risk_sig.pdf

And the V1 document (also attached)
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

Below is my post on Risk management from prespective of ISO 27001 which has an Expert guidance on planning and implementing a risk assessment and protecting your business information

Information Security Risk Management for ISO 27001

Tags: International Organization for Standardization, ISO/IEC 27001, Methodology, Payment card industry, Payment Card Industry Data Security Standard, Risk Assessment, Risk management


Apr 28 2009

PCI DSS Misconceptions and Facts

Category: pci dssDISC @ 7:13 pm

Information Security Wordle: PCI Data Security...

M1 – We are relatively small company so we don’t have to worry about PCI compliance
F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

M2 – PCI DSS is either a regulation or a standard
F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

M3 – We neither understand PCI and nor have in house expertise to address compliance
F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

M4 – PCI has no ROI and simply too much for a small business
F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

M5 – Why bother when some companies get breached even though they were compliant
F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

M7 – My application and POS equipment are PCI compliant
F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

M8 – PCI compliance addresses the security of the whole organization
F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

M9 – Data breach will not affect the business revenue
F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

M10 – We don’t need to scan PCI assets
F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

M11 – Merchants can use any application to transmit, process and store PCI data
F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

M12 – We have compensating control in place so we are covered
F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run











Documentation Compliance Toolkit



PCI Compliance



Practical guide to implementation (Soft Cover)



Practical guide to implementation (Download)



Reblog this post [with Zemanta]

Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security