Mar 23 2011

PCI DSS questions answered

Category: pci dssDISC @ 10:27 pm

Where can we find information about PCI DSS compliance that is focused on those of us who are “Mom & Pop” shops?

Since most small organizations fall into the sell-assessment category, a great resource is the Security Standards Council SAQ (Self-Assessment Questionnaire) section. Specifically these documents:

SAQ main page

PCI DSS SAQ instructions and guidelines

SAQ: How it all fits together

SAQ A-D and Guidelines

For remaining 30 PCI DSS questions & answered: Solutions to tough PCI problems



Jan 04 2011

Electronic Pick Pocketing with RFID

Category: Cybercrime,pci dssDISC @ 9:10 am

RFID Security

Thieves now have the capabilities to steal your credit card information without laying a hand on your wallet.

It’s new technology being used in credit and debit cards, and it’s already leaving nearly 140 million people at-risk for electronic pickpocketing.

It all centers around radio frequency identification technology, or RFID.

You’ll find it in everything from your passports to credit and debit cards.

It’s supposed to make paying for things faster and easier.

You just wave the card, and you’ve paid.

But now some worry it’s also making life easier for crooks trying to rip you off.

In a crowd, Walt Augustinowicz blends right in.

And that’s the problem.

“If I’m walking through a crowd, I get near people’s back pocket and their wallet, I just need to be this close to it and there’s my credit card and expiration date on the screen,” says Augustinowicz demonstrating how easily cards containing RFID can be hacked.

Armed with a credit card reader he bought for less than $100 on-line and a netbook computer.

RFID Security

Tags: credit card fraud, electronic pick pocketing


Aug 13 2010

PCI SSC releases highlights for 2.0 changes

Category: pci dssDISC @ 10:34 pm
Information Security Wordle: PCI DSS v1.2 (try #2)
Image by purpleslog via Flickr

PCI SSC has pre-announced the summary of changes for expected PCI 2.0Β in October 2010. Based on summary report most of the changes are clarification or guidance.

According to Bob Russo, general manager of the PCI Security Standards Council.

“This version is 2.0, and the connotation is that there will be major changes, but that isn’t the case,” he told CSNews Online in a telephone interview. Most of the changes are “clarifications” such as combining requirements 10 and 11 for the PA-DSS (Payment Application Data Security Standard), which the council found redundant.

“The standard is pretty strong at this point and is maturing, so there are no major changes this time around,” Russo said in the interview. “Basically we are releasing clarifications and explanations on how to comply further down the line.”

Time will tell if PCI SSC will allow organizations to pick controls based on their enviroment or risk appetite during risk management. Basically most of the industry icluding some government agencies are following risk based approach to address secrity risks. Instead of saying Yes at each control, SSC should give small organization some flexibility to pick contols which fits their needs, we might see higher rate of compliance in small to medium size businesses. Also risk based approch will help larger organizations to tie up PCI DSS to their existing security management system.

Remember PCI DSS still addresses the cardholder data infrastructure of an organization. Let’s hope the future versions will involve some guidance for small to medium size companies how to address risks outside the scope of PCI DSS.

Summary of changes for PCI DSS 2.0

Tags: Payment Card Industry Data Security Standard, PCI Security Standards Council, SBN


Aug 02 2010

Why Your Business may need to be PCI-DSS Compliant?

Category: pci dssDISC @ 10:18 pm

There is a myth out there that we are a small company and PCI DSS does not apply to us. It does not matter how small or big your business is you must comply to PCI DSS if you process, store and transmit credit card data.

Don’t store the credit card data, if you don’t have real a business need for it. If you do have to store the credit card data, know your risks and liabilities which happen to be many. Basically small business owner cannot afford to pay for the liabilities and fines if they have a security breach in state on non-compliance (PCI DSS).

Take a few minutes to watch this and see what an ultimate risk of non-compliance can do to a business, my advice, find a professional who can help you to make sure you are PCI DSS compliant so if a breach DOES occur, you are protected with a safe harbor against the fines and non compliant liabilities.

Watch how downstream liability affect a small merchant


Jun 30 2010

Security glitch exposes WellPoint data again

Category: hipaa,pci dss,Security BreachDISC @ 11:53 am
WellPoint
Image via Wikipedia

By Tom Murphy

INDIANAPOLIS – WellPoint Inc. has notified 470,000 individual insurance customers that medical records, credit card numbers and other sensitive information may have been exposed in the latest security breach of the health insurer’s records.

The Indianapolis company said the problem stemmed from an online program customers can use to track the progress of their application for coverage. It was fixed in March.

Spokeswoman Cynthia Sanders said an outside vendor had upgraded the insurer’s application tracker last October and told the insurer all security measures were back in place.

But a California customer discovered that she could call up confidential information of other customers by manipulating Web addresses used in the program. Customers use a Web site and password to track their applications.

WellPoint learned about the problem when the customer filed a lawsuit about it against the company in March.

“Within 12 hours of knowing the problem existed, we fixed it,” said Sanders, who declined to identify the outside vendor.

WellPoint is the largest commercial health insurer based on membership, with nearly 34 million members. It runs Blue Cross Blue Shield plans in 14 states and Unicare plans in several others.

Sanders said the insurer notified customers in most of its states. That includes about 230,000 customers of its Anthem Blue Cross subsidiary in California.

About 356 million records of U.S. residents have been compromised or exposed due to security breaches since 2005, according to Privacy Rights Clearinghouse, a consumer advocacy group that tracks such reports.

WellPoint’s security breach doesn’t crack the top 10 in terms of number of people who may have had information exposed, said Paul Stephens, the organization’s director of policy and advocacy. Even so, he labeled the breach “very serious” because it possibly involved both financial and medical information.

“There are obviously multiple concerns there for consumers,” he said.

Two years ago, WellPoint offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.

WellPoint’s latest breach affected only individual insurance customers and not group coverage or people who buy Medicare Advantage insurance. Sanders said the company believes a “vast majority” of the unauthorized access of customer information came from the plaintiff and her attorneys.

The insurer notified all individual insurance customers who had information in its application tracking program from October through March. It will provide a year of free credit monitoring.

WellPoint shares fell 69 cents to $50.10 in Tuesday afternoon trading, while broader trading indexes slid more than 2 percent.

Tags: Anthem (insurance), Blue Cross and Blue Shield Association, Business, Insurance, Privacy Rights Clearinghouse, Security, WellPoint


Jun 14 2010

Fallout from a PCI breach for merchants and consumers

Category: pci dssDISC @ 6:22 pm


There is a big misconception out there that PCI DSS compliance does not apply to us, because we are relatively a small company


The fact is PCI DSS must be met by all organizations that transmit, process or store payment card data. Also business owner want to know what is ROI on PCI compliance. It is the total cost of ownership which ensures that you keep earning big money. DISC

Thanks to federal law and standard practice by the financial industry, the maximum cash liability of a consumer whose cardholder data is stolen is only $50; the remaining losses are paid by the card companies. If the weak security controls allows a criminal to access other accounts or steal a consumer’s identity, financial fallout could be severe for that individual. Resolving just one incident of a stolen identity may take months if not years of effort.

Merchants face their own form of fallout. When a breach occurs, there are investigation and containment of the breach costs for the incident, remediation expenses, and attorney and legal fees. But this is just for starters. Strategic and long-term fallout for all Merchants may include but not limited to the followings:

β€’ _ Loss of customer confidence.
β€’ _ Lost sales and revenue.
β€’ _ Lower use of online stores due to fear of breaches.
β€’ _ Brand degradation or drop in public stock value.
β€’ _ Employee turnover.
β€’ _ Fines and penalties for non-compliance with PCI and
other regulations.
β€’ _ Higher costs for PCI assessments when merchants with a
breach must subsequently comply with the penalty of
more stringent requirements.
β€’ _ Termination of the ability to accept payment cards.
β€’ _ Fraud losses.
β€’ _ Cost of reissuing new payment cards.
β€’ _ Dispute resolution costs.
β€’ _ Cost of legal settlements or judgments.

The potential fallout for larger merchants can be huge, Smaller merchants, however, may have significant trouble weathering a cardholder data breach. Think about your company’s cash flow and whether it could cover potential damage from a breach. The risk of going out of business perhaps should be a motivation enough to follow PCI and protect the credit and debit card data.

How to Detect Debit Card Fraud

Tags: pci assessment, pci compliance, pci compliance books, pci consultant, pci dss


May 18 2010

Taking Credit Card Security Seriously

Category: pci dssDISC @ 1:33 pm

NEW YORK - MAY 20:  In this photo illustration...
Image by Getty Images via Daylife

PCI DSS v1.2: A Practical Guide to Implementation

By David F. Carr @ Forbes

The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I’m talking about lying and praying.

In 2004 the major credit card companies got together to define a common Payment Card Industry Data Security Standard (PCI DSS, often referred to as just PCI). They are gradually ratcheting up the pressure on merchants of all sizes to comply. Large companies, and some smaller ones that process a large volume of transactions (particularly if they’re doing it on the Web), are required to have an independent review of their processes and systems by a security professional credentialed as a qualified security assessor (QSA). Most small businesses can instead complete a self-assessment questionnaire, where they essentially grade themselves. That’s where the lying comes in. It’s not so hard to check off all the right answers (“Sure, I review my e-commerce server logs on a daily basis.”) without actually making them true.

If you’re lying, you had better also be praying. If caught, you could be fined for non-compliance, to the tune of tens or hundreds of thousands of dollars–enough to put many a small organization out of business. Expect even harsher treatment if someone hacks your systems and downloads card data you claimed you weren’t even storing.

Most of the requirements are basic security, like making sure there is a firewall between your Internet connection and any system that stores credit card numbers. Factory default passwords on your network equipment must be changed, so that no one can log on as user “admin,” password “admin.” And so on. More specifically, you’re responsible for protecting card holder data, and there’s some data you’re never supposed to store–like the full contents of a card’s magnetic strip.

Many small businesses are still under the impression that the rules don’t apply to them because they’re too small, or because they don’t conduct e-commerce. Actually, the rules apply to any business–and even any nonprofit–that takes credit card payments. You can look for ways to lighten the compliance burden, but you can’t get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you’re still supposed to be locking down your systems.

Some businesses complain this all sounds too complicated and expensive. But they are missing the point, says Anton Chuvakin, author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. The PCI rules really represent the minimum security standards businesses must meet to be fair to their customers, who, after all, are trusting the merchant every time they hand over a credit card number. In the wake of a card security breach, a larger business might suffer from the fines, damages and adverse publicity resulting from a card security breach. By contrast, “a small business is more likely to be GONE,” Chuvakin said. “Businesses that endanger their customers really do deserve to die.”

If your organization is not equipped to handle credit card data securely, maybe you should not be handling it at all. Look for ways to shift as much of the burden as possible onto a service provider that specializes in secure payment processing. Services such as PayPal and Authorize.net let you forward customers to their websites for payment processing; credit card numbers never pass through your hands at all

Small businesses such as restaurants that use an older generation of countertop credit card terminals may be breaking the rules inadvertently because the device stores magnetic stripe data or otherwise violates the PCI requirements. So consider upgrading to a payment device that is certified PCI compliant. Basic terminals capable of encrypting Personal Identification Number (PIN) codes and protecting other sensitive information are available for as little as $100 and might even be offered free by merchant account services trying to win your business. The PCI Security Standards Council publishes a list of approved devices. Just remember that using a compliant device is only one element of making your business compliant.

Even if you’re not storing anything explicitly prohibited, you may be storing more credit card data than you need to. Small merchants typically store a day’s worth of credit card numbers on a card swipe terminal, then process all the transactions in a batch at the end of the day. Bigger retailers may record the card numbers in a centralized database so they can track all a customer’s purchases, and so they can retrieve the number if they need to issue a refund. But do you need to retain those numbers at all?

Possible Solutions
Perhaps not. Martin McKeay, a QSA and author of the Network Security Blog, recommends looking at new strategies for using end-to-end encryption and “tokenization.”

For example, payment processor First Data ( FDC – news – people ) and security software firm RSA Security have developed a product called TransArmor that allows merchants to get authorization for a credit card number and then immediately dispose of the card number, replacing it with a token. The token is another number that acts as a stand-in for the credit card number itself. First Data keeps track of which tokens correspond with which credit card numbers. So if you’re executing previously authorized transactions at the end of the day, you send First Data a batch of tokens, and it relays the card numbers on to the bank. But if the tokens are stolen, by themselves they are worthless to anyone else.

“With this, the only time you need the true credit card number is when you do the authorization,” says Craig Tieken, First Data vice president of merchant product management. “The merchant, in our opinion, no longer needs the card number.” TransArmor is still in beta testing, scheduled for release in the summer of 2010.

PCI DSS v1.2: A Practical Guide to Implementation

Tags: Business, Credit card, First Data, Payment Card Industry Data Security Standard, PayPal, Personal identification number, Qualified Security Assessor, Tokenization