« January 2010 | Main | March 2010 »

February 2010

February 26, 2010

Call centers and PCI DSS compliance. Let the purging begin!

Gary Palgon
Vice President, Product Management
nuBridges

Yes, indeed. Just six weeks into the year, and the Payment Card Industry Security Standards Council  (PCI SSC) has issued three clarifications regarding the storage of cardholder data on digital audio recordings. Now the PCI SSC has formally clarified that storing payment card data in digital call records is forbidden. 

Color-call-center-small The issue is recordings that include card security codes –CAV2, CVC2, CVV2 or CID codes by the payment card brands. On January 22 the PCI SSC issued a revised FAQ on call center recordings.

Digital audio recordings have always been in PCI DSS scope, but if they weren’t searchable you could still store the security codes.  But don’t just rely on that because they have already changed that policy since then.  Evan Schuman reported in StorefrontBackTalk on February 18th that they added the phrase, “if that data can be queried;” however, there is still confusion as to what that actually means.

So, what does this mean for your call center? You need to purge all your existing digital voice recordings of security codes, discontinue storing these codes on all new recordings and encrypt any recordings that maintain the PAN.

As always, keep checking back with the PCI SSC web site for updates. Are you finding this easy or difficult to accomplish and why?


Until next time,

Gary

Posted at 11:31 AM in Data security, PCI DSS | | Comments (1) | TrackBack (0)

Technorati Tags: , , ,

| |

February 19, 2010

3 days ‘til HITECH penalties enforced

Kyle Parris
Director of Product Management
nuBridges

That’s right. February 22, 2010 is the date when monetary penalties can be imposed if unsecured Protected Health Information (PHI) is breached. Under the Health Information Technology for Clinical and Economic Health (HITECH) Act, PHI in the form of electronic data is considered unsecured unless it is encrypted or destroyed.

NIST-compliant encryption is mandated by the act’s related Health and Human Services (HHS) breach notification regulations. If your health care organization doesn’t encrypt PHI today, is it on your “to do” list?

It’s never too late to avoid the prospect of hefty sanctions. I’d like to recommend a white paper that nuBridges recently published http://nubridges.com/resource-center/whitepapers/best-practices-enterprise-mft/ to help you analyze the different managed file transfers that are available to securely and reliably transmit electronic PHI. 

To your health,

Kyle

Posted at 04:44 PM in HITECH | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

| |

February 16, 2010

Don’t forget about scanned images for PCI DSS compliance

Gary Palgon
Vice President, Product Management
nuBridges

The Payment Card Industry’s Security Standards Council issued a clarification about audio recordings on January 22, 2010 noting that card validation codes and values must not be stored under usual circumstances to be considered PCI DSS compliant.  PANs in the recording, of course, must be encrypted following the current standards as well.

  • Much like audio recordings, scanned images that contain the PAN and card validation codes must be addressed as well.
  • Requirement 3.3 specifically states that “displays of PAN (for example, on screen, on paper receipts) … are masked when displayed ...”
  • Requirement 9.6 notes: “Physically secure all paper and electronic media that contain cardholder data.”
  • Like the audio recordings, track data should not be stored based on Requirement 3.2 : “Do not store sensitive authentication data after authorization (even if encrypted).”
  • Images containing credit cards will need to be encrypted as required by Requirement 3.4: “Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs).”

Don’t be caught off guard as you make your way though a PCI DSS compliance audit – trace all input sources of credit cards and follow the card “information supply chain” to make sure you’ve addressed all occurrences of this sensitive data.

Are there any other areas of input that you’ve seen frequently missed during audits?


Regards,
Gary


PS... If you have not already registered, I am co-presenter for live webinar being held February 24, 2010 at 2pm EST.  Brian Grafsgaard of QBS and I will discuss "Applying PCI Best Practices to Protect PII"  Click here to register:  https://www1.gotomeeting.com/register/314351497 

Posted at 08:41 AM in Data security, Encryption and key management., nuBridges, PCI DSS, PII | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

February 08, 2010

What will DLP do when we live in a tokenized world? That’s today’s conundrum.

Gary Palgon
Vice President, Product Management
nuBridges

Data Loss Protection or Data Leak Prevention (DLP) applications are often used to discover credit card and other personally identifiable information in enterprises.  If you don’t know where sensitive data exists, how can you protect it?

Imagine this.  Your company has migrated to a security model where tokens, or surrogate values, are spread throughout the enterprise instead of the actual values, say for actual credit cards.  If the tokens are format-preserving and therefore resemble credit cards but are actually tokens, how will the DLP systems know that they are tokens and not sensitive data?

While the latest indications on the next PCI DSS standard will only have minor changes in it (see No major PCI DSS revision expected in 2010), Walt Conway pointed out in StorefrontBacktalk that there’s a real possibility that the PCI DSS standard may eventually will mandate automated cardholder data discovery.

We better get creative quickly to solve this one!  Any ideas?
Until next time,

Gary

Posted at 02:38 PM in Data security, PCI DSS | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

| |

Recent Posts

Recent Comments

Categories

Archives

More...

Subscribe to this blog's feed

About

nuBridges Web sites

Twitter Updates

    follow me on Twitter