Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ PCI Compliance ’


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web. Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

Ten Ways To Secure Web Data Under PCI <Tweet this article>
by Robert Lemos
Whether they’re brick-and-mortar or online, merchants find the Payment Card Industry’s requirements for protecting credit card data challenging and confusing.
But all retailers must understand how to protect the credit card and other customer data that comes from online transactions, because their businesses are in cybercriminals’ crosshairs…….
Click here to read more

Gartner VP interview: Mobile and social top challenges for CIOs <Tweet this article>
by Roberta Prescott
Mobile and social technologies represent a departure from the information technologies that CIOs are used to, such as ERP and CRM.  This change is one of the three fundamental questions IT leaders and CIOs are facing, according to Mark McDonald, Gartner group vice president and head of research in Gartner Executive Programs…………. Click here to read more

EMV Migration Gets Answer People <Tweet this article>
by John Adams
Other groups, such as the Smart Card Alliance, are also expanding EMV migration information sharing. The alliance, whose members include card manufacturers, payment processors and financial institutions, operates the EMV Migration Forum, an independent, cross-industry body to discuss issues that require cooperation and coordination across constituents in the payments space…………. Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

When it comes to evaluating payment data security technologies….are you following the 5 “S’s”?
scope, study, support, seek, secure

If you’re not, how can you really know your data is protected and secure? Too often merchants go with the solution that is directly in front of them. They are focusing on their business, selling their products and services to their customers, and security and PCI simply get in the way. But one breach and suddenly, all of their hard work is gone.

A breach of merchant data not only hurts the consumer, but it harms the merchant as well. PCI will fine merchants in the case of a negligent breach and once the word gets out, consumers become weary of doing business with you – so the merchant’s brand reputation is impacted.

The process of evaluating all the different payment security technologies out there doesn’t have to be complicated or time-consuming. Follow these 5 simple steps…

  1. SCOPE – Examine your data flow and look at where data is stored
  2. STUDY – Educate yourself on security methods, technologies, and PCI compliance
  3. SUPPORT – Inventory current systems – your hardware, software, and processors – and understand how will integrate to the technology
  4. SEEK – Evaluate vendors and seek answers to key questions
  5. SECURE – Implement the right mix of methods and technologies to secure  cardholder data

If you don’t know whether or not your data is protected and secure, give us a call.

This week, our team is at the PCI North American Community Meeting, where several new programs have been announced including the PCI Professional Program, the Council’s first individual accreditation program designed to build a greater level of PCI expertise across the industry for improved payment security globally. Check out this wrap up report to learn about the other major announcements, news and highlights.


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….
Brain Hacking: Scientists Extract Personal Secrets With Commercial Hardware <Tweet this article>
by Gregory Ferenstein
Chalk this up to super-creepy: scientists have discovered a way to mind-read personal secrets, such as bank PIN numbers and personal associations, using a cheap headset. Utilizing commercial brain-wave reading devices, often used for hands-free gaming, the researchers discovered that they could identify when subjects recognized familiar objects, faces, or locations, which helped them better guess sensitive information..…….Click here to read more

PCI SSC’s Bob Russo on point-to-point encryption, PCI compliance <Tweet this video>
by SeachSecurity
In this video interview, Bob Russo, general manager of the Payment Card Industry Security Standards Council (PCI SSC), discusses tokenization, point-to-point encryption, PCI compliance issues, and the state of guidance documentation for emerging technologies. According to Russo, the PCI SSC is currently assessing hardware-based point-to-point encryption products and plans to produce a list of approved PIN transaction security (PTS) devices by the end of 2012..……. Click here to watch video

Mind the Gap: PIN versus Signature Authentication <Tweet this article>         
by Douglas A. King
The just-released PULSE Debit Issuer Study reveals that in 2011 the gap in loss rates between signature and PIN debit transactions has widened further. Issuers lost an average of three cents per signature debit transaction compared to less than one-half of one cent on PIN transactions..……. 
Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

Last week while watching Michael Phelps win his 20th Olympic medal, I was also reading a very interesting post on PCI Guru’s blog that discusses a topic covered in the latest Assessors newsletter. What do these two diverse topics have in common? Read on and see.

The blog post I mentioned refers to pre-authorization data and scope; a topic which has oft been the subject of discussion. Is pre-authorization data in scope with regard to PCI or not? While my personal belief is that it should always be considered in scope, the source of this debate comes from the fact that the standard does not really call it out. Indeed, many of the requirements are specific to post-authorization (such as restrictions on any storage of sensitive authentication data). In the newsletter, the PCI Council definitively states “PCI DSS applies wherever cardholder data (CHD) and/or sensitive authentication data (SAD) is stored, processed or transmitted, irrespective of whether it is pre-authorization or post-authorization.”

 OK, so card data is in scope regardless of its authorization state wherever it is stored, processed or transmitted. But what does that mean to the merchant, other than putting a final period on the debate? The Council’s statement here is really one of common sense. Card data is not any less valuable before authorization than after it.

Generally, the length of time that data remains pre-authorization is short. That can vary however, especially when one considers new fees such as the Visa Zero Floor Limit Fee which adds a fee to any transaction that is settled without authorization. Merchants are incented to store the data to ensure they can receive an authorization prior to submitting for settlement. 

The PCI Council leaves the requirements regarding storage of pre-authorization sensitive authorization data up to the individual payment brands. They did state however, that any storage of SAD prior to authorization would be held to a higher standard of security and controls. Regardless of what PCI states, from a risk perspective it’s just good practice for merchants to secure all credit card data, and to remove as much of it from the merchant environment as possible. Point-to-point encryption and tokenization can play a role in effectively removing and securing card data.

For merchants, it’s tempting to let the realities of day-to-day operations take priority over complex topics like PCI, kicking the can down the road so to speak. This brings us back to the Olympics. Michael Phelps mentioned in an interview all the various obstructions that his coach created during his training. One that stood out was his coach stepping on his goggles to crack them, so they would fill with water during Michael’s next swim. This was to prepare Phelps for any situation that could occur in competition. Sure enough, during one of his races, his goggles did fill with water and he had to rely on counting strokes to know where he was. Without that preparation, he might not have been prepared for that hurdle.

Similarly, merchants need to prepare themselves for the day when they may be the target of an attack. Whenever I hear the argument that pre-authorization data can be considered out of scope because the PCI DSS doesn’t specifically say, I know I’m talking to someone who is not taking a long term ongoing approach to PCI. Just like Michael Phelps trains for all eventualities, merchants today must prepare to face the threats of tomorrow. Look closely at your environment. Have you effectively secured data pre-authorization? Do you know every place that card data exists within your environment? In a recent blog post, one of my colleagues wrote about the security training that every Merchant Link associate participates in. Security is more than a moment in time, or a specific job role. It’s something that everyone needs to be aware of.

Oh, and just to remind you, the Council has spoken. It IS in scope.

…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….
New PCI Rules Will Force Retailers To Set The Risk Level <Tweet this article>
by Walter Conway
PCI version 2.0 changed July, 1. Even though there are actually no new requirements, per se, as of this date, the stated “best practices” for identifying and ranking risk vulnerabilities in Requirement 6.2 became mandatory.  Ignore this change and you may see yourself up a PCI tree later this year……. Click here to read more

Not All Merchants Are Happy with the $7-Billion-Plus Credit Card Settlement <Tweet this article>
by Digital Transactions
No sooner had the ink dried on a proposed settlement of a massive credit card suit than cracks began to appear in what had been an edifice of merchant solidarity. The NACS, a national trade group for  convenience-store operators, on Friday said its board of directors had unanimously rejected the settlement, and on Monday its attorney told Digital Transactions News more merchant dissenters will emerge. “A lot of merchants are very upset about this [settlement],” says Douglas Kantor, a Washington, D.C.-based partner at Steptoe & Johnson LLP……. Click here to read more

Small Kentucky town latest victim of credit card fraud affecting 25% of police force <Tweet this article>
by Avivah Litan
I’ve been hearing from U.S. banks that card fraud continues to be a major issue for them, while online bank account takeover and trojan-based attacks have flattened out. The new trend, they say, is ‘micro-attacks’ that are localized, small in nature and which stay under the radar longer, giving the crooks more time to rack up unauthorized charges.…….Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion!
……………………………………………………………………………………………..………………………………….

Now that the July 4th sparklers have all burned out we head into the long hot days of summer.  These lazy days are filled with beach vacations, barbecues and picnics, and lounging in the sun. In part 2 of our Security Awareness blog series we focus on some alarming trends towards data security and PCI compliance in small businesses.  Unfortunately, according to a recent study commissioned by The Hartford Financial Services Group, the attitude of small business owners looks a lot like a summer vacation when it comes to their approach to data security.  According to the survey, many small business owners (Level 4 merchants) simply do not believe they are at risk of a data breach, when in fact; attacks on smaller businesses are increasing.  The bottom line: data thieves don’t take vacation, and are always attempting to steal your customer’s credit card information. ControlScan described it as “The Perfect Storm of Complacency” in their 2011 survey of level 4 merchant attitudes regarding compliance with the Payment Card Data Security Standard (PCI DSS).  The survey revealed that merchants have a nonchalant attitude with regards to sensitive cardholder data and observed:

  • Risk of financial losses doesn’t seem to be a big motivator for Level 4 merchants to aggressively comply with the PCI DSS.
  • A sizeable minority of Level 4 merchants continue to believe that PCI compliance does not make their business more secure.
  • Little progress has been made in increasing awareness of PCI compliance among small merchants.

 While small business owners want to focus on managing and growing their business more than the details of data security and PCI compliance, the threats and risks remain. Thankfully, there are some great resources out there that can help, including:

 So enjoy the lazy days of summer but don’t get lazy when it comes to data security and your company’s reputation!  We invite you to share your experiences, questions and comments below.

CIO’s and IT staff have continually full plates these days.  They are required to juggle complex and often competing projects just to “keep the lights on” and at the same time work toward the overall vision their CEO lays out for the business.  Operating during a down economy the past few years has caused businesses to look for efficiencies and many reduced staff.  At the same time there has been an explosion of user-generated project requests for new applications, web functionality and mobile technology.  It can be a tall order to implement new or strategic projects such as company-wide security plans and PCI compliance when you are fighting everyday just to do the basics.

For hospitality IT departments, putting off security projects can be very risky.  As Merchant Link reported in March of this year, according to the Verizon 2012 Data Breach Investigation Report, Restaurants/Accommodations continues to be the most targeted industry for data breach attacks.  So how can you, the CIO or IT Director, ensure that data security doesn’t fall to the bottom of your “to-do” list?  By partnering with a payment security expert, you can benefit from the collective experience and support garnered by assisting numerous customers in implementing a secure and comprehensive solution.

Look for a flexible payment data security solution that takes a layered approach to implementation so you can plan each stage.  This eases constraints on resources while still allowing you to gain benefits as you implement each layer.  For example, by implementing a cloud-based payment gateway, merchants can take advantage of a hosted architecture while removing the credit card interface system from PCI scope.  Additional scope reductions can be achieved by removing stored PAN data using a tokenization solution.  To protect card data from initial point of interaction and as it travels through the network, point-to-point encryption can also be added.  A key benefit of a layered solution is the ability to implement in stages while receiving cost savings and scope reduction at each stage.

It’s true an IT department has to juggle many priorities and projects but data security is just too important to let fall off your plate.  An experienced partner, a comprehensive solution and flexible implementation options will allow you to achieve your data security goals and ensure the day to day operations keep running without busting your budget or your team.  We invite you to share your experiences, questions and comments below.

Day 1 at the HITEC show and several notable insights from Jibran IIyas, QSA and senior investigator with Trustwave, at the PCI Boot Camp session this morning.

Test your data security smarts with this quick pop quiz, then check out the video for the answers and more insight.

  1. TRUE or FALSE: Allowing web access/web traffic is ok for front desk receptionists who may need it to look up directions and other information for guests.
  2. Which system type do hackers target more inside hotels and hospitality businesses?
    (a) PMS – property management system
    (b) POS – point-of-sale system
  3. 62% of all breaches result from stealing which type of data?
    (a) data in transit
    (b) stored data

And BONUS QUESTION (we’ll reveal the answer tomorrow):
What’s the street value of a stolen credit card?
(a) $1
(b) $20
(c) $50

Fresh off the road from a busy Spring schedule of conferences and events such as the recent RIS Retail Technology Conference and MICROS Retail Conference, I reflected on some of the latest trends in retail I picked up on in various sessions, conversations and reports.

Customers are King; Mobile Use and Commerce Increasing
Mobile has placed even more power into the hands of today’s consumer, with the ability to check competitors’ prices while in store (a phenomenon known as “showrooming”) and so retailers are being forced to adopt new pricing and promotional tactics. Marketing investments are focused on mining more data and using it to provide more customized promotions to increase engagement and loyalty. To keep up with today’s tech-savvy consumers, retailers are also increasingly adopting mobile point-of-sale solutions. We’re seeing some POS providers leveraging the tablet form factor, integrating barcode scanners and mag stripe readers into handheld devices that double as a tool to offer on-demand product information to shoppers wherever they are in the store.
 
Profits Are Up; Retailers Reinvesting Again
According to the NRF Foundation’s recently released Retail Horizons: Benchmarks for 2011, Forecasts for 2012, retailers have returned to profitability after the economic downturn. The survey revealed that marketing and advertising spend is up, as well as investment in IT upgrades, e-commerce and leadership development.
 
P2PE Emerging as Key Data Security Strategy
Point-to-point encryption (P2PE) is gaining greater momentum as one of the most effective ways for retailers to secure on- and offline and mobile payments, with the added benefit of reducing PCI scope. Unfortunately, hackers continue to target retailers, with their favorite method being to target data “in transit,” as it moves through and from the merchant environment. Attackers in 2011 were more successful at harvesting data in transit than any other method, according to the Trustwave’s 2012 Global Security Report. Meanwhile, the PCI Council just released updated point-to-point encryption requirements as well as a fact sheet outlining how merchants can securely accept payments using mobile devices with actionable recommendations on partnering with a P2PE solution provider to securely accept payments and meet PCI DSS compliance obligations.

So those are a few of the key trends I’ve observed.

What are you seeing and experiencing? Share your comments and thoughts below.