PCI DSS

February 08, 2010

What will DLP do when we live in a tokenized world? That’s today’s conundrum.

Gary Palgon
Vice President, Product Management
nuBridges

Data Loss Protection or Data Leak Prevention (DLP) applications are often used to discover credit card and other personally identifiable information in enterprises.  If you don’t know where sensitive data exists, how can you protect it?

Imagine this.  Your company has migrated to a security model where tokens, or surrogate values, are spread throughout the enterprise instead of the actual values, say for actual credit cards.  If the tokens are format-preserving and therefore resemble credit cards but are actually tokens, how will the DLP systems know that they are tokens and not sensitive data?

While the latest indications on the next PCI DSS standard will only have minor changes in it (see No major PCI DSS revision expected in 2010), Walt Conway pointed out in StorefrontBacktalk that there’s a real possibility that the PCI DSS standard may eventually will mandate automated cardholder data discovery.

We better get creative quickly to solve this one!  Any ideas?
Until next time,

Gary

Posted at 02:38 PM in Data security, PCI DSS | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

| |

January 20, 2010

Conundrum – My company wants me to share more data and at the same time secure more data!

Gary Palgon
Vice President, Product Management
nuBridges

CIOs everywhere are being told by the business that they need to share more data, both internally and with business partners.  And then they are being told to secure more data to limit its use to only authorized users. 

Retailers, like many other industries, have been battling this during the past few years as they strive to comply with the PCI Data Security Standard to protect credit card information but the battle is only getting more complex.  Key to many organizations is their customer information, often part of loyalty and/or credit programs which require them to store for future use information considered to be personally identifiable information or PII

In a recent article by Walt Conway about what he heard at last week’s National Retail Federation (NRF) conference, he noted “While in New York, I heard a lot of CIOs talk about balancing the pressure to open systems and databases to more internal users with the need to protect the data. This balancing act will get more interesting as the volume of customer data expands.”  This is exactly the dilemma I hear all of the time.

And while that’s from a retail perspective, it’s no different in Healthcare.  Look at the US Health Information Technology for Economic and Clinical Health Act (HITECH) which as part of the American Recovery and Reinvestment Act (ARRA) has a goal to implement electronic medical records (EMR), secure protected health information (PHI) and share patient data security through out the ‘medical supply chain’.  Once again, the theme mirrors that above, share the electronic data but also secure it.

There are no silver bullet answers here, but it is important to take a strategic look at how PCI, PII and PHI is created, used, shared, archived and destroyed in order to properly ensure it is only used by authorized individuals, secure at all times and destroyed when it is no longer needed. 

What are the challenges related to locking down data and sharing more data in your organization?

Until next time,

Gary


PS...Later this week, nuBridges is releasing a new White Paper, "The Power of Integrated Protection."    This White Paper explores the emerging issues that are driving enterprises to seek an enterprise-class encryption, tokenization, key management and compliance solution to protect sensitive PCI, PII and PHI data.   I am offering early access to my loyal blog readers.  Click here to download the new White Paper, "The Power of Integrated Protection."   

Posted at 08:34 AM in Data security, HITECH, PCI DSS, PII, retail | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

December 10, 2009

Retailers See an Encouraging Start to Holiday Shopping Season

Kyle Parris
Director of Product Management
nuBridges

November 30th was the strongest Cyber Monday since the term was coined five years ago, matching the heaviest online spending day on record – December 9, 2008. And ShopperTrak reports that bricks-and-mortar retailers had a 1.6% increase in sales over last year during the Thanksgiving holiday weekend.

While we’re all keeping an eye on holiday sales (they are, after all, one indication of how our economy is or isn’t recovering from recent woes), many retailers are taking a longer view. Beyond just short-term revenue numbers to longer-term strategic goals of cutting costs, streamlining back-office operations and improving their brand. These savvy retailers are adopting a number of best-in-class technologies to make their strategic goals a reality. Among them – managed file transfer solutions (MFT).

Here are a handful of real-world examples of how retailers are reaping the rewards of MFT:

  • “We’ve eliminated any risk associated with the transfer of credit card data to our processer. And we’re now in compliance with the PCI DSS -- our latest audit was a piece of cake.”
  • “Previously two people had to spend more than six hours each per day manually transferring customer orders from our web site and telephone orders. Our business volume has grown, and so has our workload. With our new managed file transfer solution, it takes about five minutes a day. We’re spending more time selling, less time chasing down customer orders.”
  • “We use it to manage the exchange of electronic files between more than 1,000 retail outlets and our corporate order processing and accounting systems.”
  • “We’re now able to meet the file exchange requirements for our retailer network without having to change our business processes. Now we’re extending our MFT solution into our global supplier community.”
  • “MFT provides us with a simple, straightforward, secure file transfer solution, one that we put on auto-pilot to automatically transfer financial transactions between our back office applications in different banks on a daily basis.”

We’d love to hear how you’re retail business is doing this holiday season!

Happy holidays!

Kyle

Posted at 04:03 PM in Managed File Transfer, PCI DSS, retail | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

| |

December 04, 2009

Retailers are Gaining Business Value with MFT

Kyle Parris
Director of Product Management
nuBridges

As retailers wait out the holiday shopping numbers, they’re continuing to enjoy lots of business value from their managed file transfer solutions. Retailers are early adopters of MFT for numerous reasons, but the top two are the need to:

The new generation of MFT solutions meets these challenges and many more. Other benefits that retailers tell us they’re reaping include:

  • Streamlined global order and fulfillment
  • Improved order-to-cash and days-sales-outstanding
  • Enhanced competitive sourcing capabilities
  • Improved demand forecasting
  • Eliminated order and invoice errors
  • Reduced costs and headaches associated with PCI DSS compliance
  • Met audit and governance requirements
  • Reduced transaction costs
  • Improved customer loyalty

Until next week,

Kyle

Posted at 10:32 AM in Managed File Transfer, nuBridges, PCI DSS, retail | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

| |

September 25, 2009

PCI SSC Community Meeting 2009: “The Feedback Year”

Gary Palgon
Vice President, Product Management
nuBridges


Onsite in Las Vegas – The Payment Card Industry’s Security Standards Council (PCI SSC) is on a 24-month cycle of reviewing and editing the PCI Data Security Standard (PCI DSS).  Version 1.2 was issued in October 2008 and the next major release is expected around the same time in 2010.  While last years’ theme seemed to be around “Compliance does not equal security” and “Network Segmentation”, this year’s theme was very much about submitting feedback on the current standard and reviewing new technologies for reducing the scope (and burden) for initial and ongoing PCI DSS compliance.

Pricewaterhouse Coopers (PwC) was contracted by the PCI SSC to “look at technologies out there that have the potential to reduce scope for PCI DSS” and PwC presented their preliminary findings at the meeting this week.  They interviewed more than 160 individuals from 125 companies across 10 countries and evaluated 12 technologies. They narrowed their focus down to four, which they drilled into to understand the impact of implementation and affect in reducing scope of the PCI DSS audit: end-to-end encryption, magnetic stripe imaging, tokenization and virtual terminals. The report will be forthcoming; however, it serves as “feedback” to the PCI SSC as they review the standard and recommendations in the coming year(s).

PCI-SSC-Mtg-09

As funny as it sounds, one “aha!” from the meeting was “What is considered cardholder data?”  Believe it or not there was no easy answer.  The Scoping Special Interest Group (SIG) will take that under review in the coming year. 

And finally, the annual meeting is a time where many people express the difficulty in understanding, implementing and changing the standards.  Much of that was put into perspective when former Congressman Tom Davis explained how the U.S. government works to create laws!  He was the co-author of the Federal Information Security Management Act (FISMA), so standards are near and dear to his heart.  I have to remind myself when I submit questions to the PCI SSC and months go by without an answer that it could be worse – I could be in politics!

Until next time,

Gary

Posted at 08:47 AM in PCI DSS | | Comments (0) | TrackBack (0)

| |

September 16, 2009

Conference Season’s Upon Us: First up PCI SSC Community Meeting

Gary Palgon
Vice President, Product Management
nuBridges

While you can attend a conference any week or weekend throughout the year, most of us can’t afford the time away from the office, even when we’re on the vendor side of the business equation like I am.  And given summer is a time when many people travel, it turns out that March through June and September through December are prime times for the “conference tours.”  Surely not as glorious as a “band tour,” but exciting nonetheless.  For me it’s an opportunity to meet customers, prospects, business partners and other people I’ve connected with during the year who I may have or have never met.  And for them, the same – an opportunity to put a face with the name.

First up is the Payment Card Industry’s Security Standards Council (PCI SSC) Community Meeting which will be held September 22nd - 24th in Las Vegas.  This is the third one, with the previous ones having been held in Toronto and Orlando.  The surroundings will surely be better than the prior cities (no offense to them – heck, I have to visit them during other conferences in the coming months too) and I would expect a bigger crowd than ever as each year it has grown since it started in 2007.

There’s always some interesting topics, discussions and debates (and this year we’ll add gambling to that).  Last year there was a focus on the quality of Qualified Security Auditors (QSAs) and network segmentation while this year all indications are there will be lots of discussion about virtualization, PCI scope, tokenization, end-to-end encryption, and chip and pin.

If you’re planning on being there, drop me an email at gpalgon AT nubridges DOT com.  I’d love to meet or catch up with you.

Gary

Posted at 09:38 AM in PCI DSS | | Comments (0) | TrackBack (0)

| |

August 20, 2009

130 Million Credit Cards Stolen?

Gary Palgon
Vice President, Product Management
nuBridges

That just may be the tip of the iceberg as the details of this latest cybercrime unravel.

On Tuesday, Albert Gonzalez and two others were indicted on charges of stealing more than 130 million payment card numbers, the largest hacking and identity theft case ever prosecuted in the U.S. Ironically, he is accused of breaching several retailer’s networks, which were already compliant with the Payment Card Industry’s Data Security Standard (PCI DSS) – a set of comprehensive requirements put into place in 2006 by American Express, MasterCard, Visa and other credit card companies to force businesses to better protect credit and debit card information from thefts like those committed by Gonzalez and other hackers over the years. Then, yesterday, Radisson reported that some of the computers at several hotels were breached between November 2008 and May 2009, possibly exposing guest information and credit card numbers.

This is BIG, but it’s only the latest in a long series of avoidable data breaches. Cybercriminals are opportunists. They steal information from wherever it’s easiest to reach. In the last couple of years they’ve methodically climbed the technology stack. In this case, Gonzalez and his band of global thieves started at the top breaching the web application interface and then went deep down to gather the internal credit card data in transit, the latter a problem that has yet to be enforced by the PCI DSS as a requirement.

Regardless of all of the ways that criminals get into systems to access data, the only sure method of protecting it is to actually ensure that the data is always encrypted, whether at rest or in transit.  And there are methods to do this including encryption, key management and tokenization which you’ve probably read in articles that I’ve published recently or presented.  http://www.nubridges.com/presscenter/articles-2009.php


Until next time,
Gary

Posted at 10:13 AM in PCI DSS | | Comments (0) | TrackBack (0)

| |

June 19, 2009

Report from the ISSA-UK Chapter Meeting

Gary Palgon
Vice President, Product Management
nuBridges

The ISSA-UK Chapter meeting was held last Thursday evening at the London offices of KPMG and attended by about 60 information security professionals.  There were three speakers covering an update from the Information Commissioner Office, the legal aspects of data security and how to reduce the scope of PCI DSS compliance using tokenization - the last one given by yours truly.

Issa2009-palgon-blog 

The topic was well received and much discussion with the group covered how tokenization applies to other data beyond credit card information and the industries that are a great fit for it – including health care, state and local government (e.g. law enforcement), hospitality, etc.

What was interesting about the other two talks is that the Information Commissioner’s Office noted that they have lots of laws and procedures to protect data but a limited ability to fine organizations for non-compliance, while the solicitor (lawyer for you and me) covered the power of both civil and criminal prosecution for breach of the very same laws.  The recommendation from both was to protect the data though!

I’m on vacation next week, spending my 13th year as a counselor to kids with cancer at Camp Sunshine.  Have a great week and go protect your data!

Gary

Posted at 08:00 AM in Data security, PCI DSS | | Comments (0) | TrackBack (0)

| |

Next »

Recent Posts

Recent Comments

Categories

Archives

More...

Subscribe to this blog's feed

About

nuBridges Web sites

Twitter Updates

    follow me on Twitter