PCI DSS

August 12, 2010

PCI-DSS and PA-DSS Maturing, But More Needs to Be Done

Gary Palgon, CISSP
Vice President, Product Management
nuBridges

The PCI Security Standards Council (PCI SSC) has just released highlights of expected changes to be introduced with the long-awaited 2.0 versions of the PCI DSS and PA-DSS coming out later this year. In doing so, the Council is helping to quench the thirst for information among the merchant and service provider community so that it can more easily align security programs and offerings with the updated standards. nuBridges commends the PCI SSC for its efforts and transparency in this process.

However, while the upcoming changes will help to clarify many compliancy requirements, there still needs to be more specific guidance around key emerging technologies - particularly encryption and tokenization - to help companies further enhance security and reduce the scope of PCI audits. As the lead chair for the PCI SSC Scoping Special Interest Group’s Tokenization Working Group, I am helping drive efforts to ensure that guidance on these important security technologies will be forthcoming. Just as the industry’s needs with regard to protecting enterprise data are evolving rapidly, such guiding standards need to be put into place more quickly, as well.

One critical area hindering industry-wide standards adoption lies with the card brands themselves, as some continue to issue their own, independent standards for PCI compliance instead of conforming exclusively to PCI SSC-derived standards. Having a universal, singular standards set is paramount for easing compliancy requirements and reducing complexity for merchants and service providers alike.  

Overall, the industry is heading in the right direction, as the soon-to-be-released 2.0 versions of PCI DSS and PA-DSS demonstrate, but a more cooperative, aggressive approach is required for ensuring enterprise security standards in a timely manner.

Until next time,

Gary

Posted at 02:52 PM in PA DSS, PCI DSS | | Comments (1) | TrackBack (0)

Technorati Tags: , ,

| |

March 25, 2010

Hotels Achieve Unwanted Status as #1 Cybercrime Target

Gary Palgon
Vice President, Product Management
nuBridges

Credit-Card-blog We in the data protection industry are almost becoming immune to data breach alerts involving retailers and financial institutions. The alerts are not only frequent but expected. But when a recent alert from The Wall Street Journal flashed across my desktop “. . . Hotels are #1 Sector for Credit Card Data Breaches”, I must admit I was caught a bit off guard. I knew data breach incidents were growing in the overall hospitality industry, but #1?

The WSJ article relied on findings from a SpiderLabs report, which found that 38% of its data breach investigations in 2009 occurred at hotels, followed by 19% in the financial services industry. Perhaps a more astounding finding was that it took an average of 156 days for hotels to realize that a breach had occurred!

Upon reflection, there’s little doubt that hotels are particularly vulnerable to today’s savvy cybercriminal. Consider the number of payment channels used by hotels – mail order, telephone, card-present, web. And consider the number of reasons a merchant needs to store cardholder data for guests’ convenience -- recurring payments, loyalty programs and charge-backs – to name just a few examples. If the cardholder data is not protected via encryption within all applications and databases, data breaches will continue to occur at an alarming rate.

Were you also caught off guard by this news? I’d like to know your thoughts.

Look forward to hearing from you,

Gary

Posted at 09:21 AM in Data security, Encryption and key management, nuBridges, PCI DSS | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

| |

February 26, 2010

Call centers and PCI DSS compliance. Let the purging begin!

Gary Palgon
Vice President, Product Management
nuBridges

Yes, indeed. Just six weeks into the year, and the Payment Card Industry Security Standards Council  (PCI SSC) has issued three clarifications regarding the storage of cardholder data on digital audio recordings. Now the PCI SSC has formally clarified that storing payment card data in digital call records is forbidden. 

Color-call-center-small The issue is recordings that include card security codes –CAV2, CVC2, CVV2 or CID codes by the payment card brands. On January 22 the PCI SSC issued a revised FAQ on call center recordings.

Digital audio recordings have always been in PCI DSS scope, but if they weren’t searchable you could still store the security codes.  But don’t just rely on that because they have already changed that policy since then.  Evan Schuman reported in StorefrontBackTalk on February 18th that they added the phrase, “if that data can be queried;” however, there is still confusion as to what that actually means.

So, what does this mean for your call center? You need to purge all your existing digital voice recordings of security codes, discontinue storing these codes on all new recordings and encrypt any recordings that maintain the PAN.

As always, keep checking back with the PCI SSC web site for updates. Are you finding this easy or difficult to accomplish and why?


Until next time,

Gary

Posted at 11:31 AM in Data security, PCI DSS | | Comments (2) | TrackBack (0)

Technorati Tags: , , ,

| |

February 16, 2010

Don’t forget about scanned images for PCI DSS compliance

Gary Palgon
Vice President, Product Management
nuBridges

The Payment Card Industry’s Security Standards Council issued a clarification about audio recordings on January 22, 2010 noting that card validation codes and values must not be stored under usual circumstances to be considered PCI DSS compliant.  PANs in the recording, of course, must be encrypted following the current standards as well.

  • Much like audio recordings, scanned images that contain the PAN and card validation codes must be addressed as well.
  • Requirement 3.3 specifically states that “displays of PAN (for example, on screen, on paper receipts) … are masked when displayed ...”
  • Requirement 9.6 notes: “Physically secure all paper and electronic media that contain cardholder data.”
  • Like the audio recordings, track data should not be stored based on Requirement 3.2 : “Do not store sensitive authentication data after authorization (even if encrypted).”
  • Images containing credit cards will need to be encrypted as required by Requirement 3.4: “Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs).”

Don’t be caught off guard as you make your way though a PCI DSS compliance audit – trace all input sources of credit cards and follow the card “information supply chain” to make sure you’ve addressed all occurrences of this sensitive data.

Are there any other areas of input that you’ve seen frequently missed during audits?


Regards,
Gary


PS... If you have not already registered, I am co-presenter for live webinar being held February 24, 2010 at 2pm EST.  Brian Grafsgaard of QBS and I will discuss "Applying PCI Best Practices to Protect PII"  Click here to register:  https://www1.gotomeeting.com/register/314351497 

Posted at 08:41 AM in Data security, Encryption and key management, nuBridges, PCI DSS, PII | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

February 08, 2010

What will DLP do when we live in a tokenized world? That’s today’s conundrum.

Gary Palgon
Vice President, Product Management
nuBridges

Data Loss Protection or Data Leak Prevention (DLP) applications are often used to discover credit card and other personally identifiable information in enterprises.  If you don’t know where sensitive data exists, how can you protect it?

Imagine this.  Your company has migrated to a security model where tokens, or surrogate values, are spread throughout the enterprise instead of the actual values, say for actual credit cards.  If the tokens are format-preserving and therefore resemble credit cards but are actually tokens, how will the DLP systems know that they are tokens and not sensitive data?

While the latest indications on the next PCI DSS standard will only have minor changes in it (see No major PCI DSS revision expected in 2010), Walt Conway pointed out in StorefrontBacktalk that there’s a real possibility that the PCI DSS standard may eventually will mandate automated cardholder data discovery.

We better get creative quickly to solve this one!  Any ideas?
Until next time,

Gary

Posted at 02:38 PM in Data security, PCI DSS | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

| |

January 20, 2010

Conundrum – My company wants me to share more data and at the same time secure more data!

Gary Palgon
Vice President, Product Management
nuBridges

CIOs everywhere are being told by the business that they need to share more data, both internally and with business partners.  And then they are being told to secure more data to limit its use to only authorized users. 

Retailers, like many other industries, have been battling this during the past few years as they strive to comply with the PCI Data Security Standard to protect credit card information but the battle is only getting more complex.  Key to many organizations is their customer information, often part of loyalty and/or credit programs which require them to store for future use information considered to be personally identifiable information or PII

In a recent article by Walt Conway about what he heard at last week’s National Retail Federation (NRF) conference, he noted “While in New York, I heard a lot of CIOs talk about balancing the pressure to open systems and databases to more internal users with the need to protect the data. This balancing act will get more interesting as the volume of customer data expands.”  This is exactly the dilemma I hear all of the time.

And while that’s from a retail perspective, it’s no different in Healthcare.  Look at the US Health Information Technology for Economic and Clinical Health Act (HITECH) which as part of the American Recovery and Reinvestment Act (ARRA) has a goal to implement electronic medical records (EMR), secure protected health information (PHI) and share patient data security through out the ‘medical supply chain’.  Once again, the theme mirrors that above, share the electronic data but also secure it.

There are no silver bullet answers here, but it is important to take a strategic look at how PCI, PII and PHI is created, used, shared, archived and destroyed in order to properly ensure it is only used by authorized individuals, secure at all times and destroyed when it is no longer needed. 

What are the challenges related to locking down data and sharing more data in your organization?

Until next time,

Gary


PS...Later this week, nuBridges is releasing a new White Paper, "The Power of Integrated Protection."    This White Paper explores the emerging issues that are driving enterprises to seek an enterprise-class encryption, tokenization, key management and compliance solution to protect sensitive PCI, PII and PHI data.   I am offering early access to my loyal blog readers.  Click here to download the new White Paper, "The Power of Integrated Protection."   

Posted at 08:34 AM in Data security, HITECH, PCI DSS, PII, retail | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

| |

December 10, 2009

Retailers See an Encouraging Start to Holiday Shopping Season

Kyle Parris
Director of Product Management
nuBridges

November 30th was the strongest Cyber Monday since the term was coined five years ago, matching the heaviest online spending day on record – December 9, 2008. And ShopperTrak reports that bricks-and-mortar retailers had a 1.6% increase in sales over last year during the Thanksgiving holiday weekend.

While we’re all keeping an eye on holiday sales (they are, after all, one indication of how our economy is or isn’t recovering from recent woes), many retailers are taking a longer view. Beyond just short-term revenue numbers to longer-term strategic goals of cutting costs, streamlining back-office operations and improving their brand. These savvy retailers are adopting a number of best-in-class technologies to make their strategic goals a reality. Among them – managed file transfer solutions (MFT).

Here are a handful of real-world examples of how retailers are reaping the rewards of MFT:

  • “We’ve eliminated any risk associated with the transfer of credit card data to our processer. And we’re now in compliance with the PCI DSS -- our latest audit was a piece of cake.”
  • “Previously two people had to spend more than six hours each per day manually transferring customer orders from our web site and telephone orders. Our business volume has grown, and so has our workload. With our new managed file transfer solution, it takes about five minutes a day. We’re spending more time selling, less time chasing down customer orders.”
  • “We use it to manage the exchange of electronic files between more than 1,000 retail outlets and our corporate order processing and accounting systems.”
  • “We’re now able to meet the file exchange requirements for our retailer network without having to change our business processes. Now we’re extending our MFT solution into our global supplier community.”
  • “MFT provides us with a simple, straightforward, secure file transfer solution, one that we put on auto-pilot to automatically transfer financial transactions between our back office applications in different banks on a daily basis.”

We’d love to hear how you’re retail business is doing this holiday season!

Happy holidays!

Kyle

Posted at 04:03 PM in Managed File Transfer, PCI DSS, retail | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

| |

December 04, 2009

Retailers are Gaining Business Value with MFT

Kyle Parris
Director of Product Management
nuBridges

As retailers wait out the holiday shopping numbers, they’re continuing to enjoy lots of business value from their managed file transfer solutions. Retailers are early adopters of MFT for numerous reasons, but the top two are the need to:

The new generation of MFT solutions meets these challenges and many more. Other benefits that retailers tell us they’re reaping include:

  • Streamlined global order and fulfillment
  • Improved order-to-cash and days-sales-outstanding
  • Enhanced competitive sourcing capabilities
  • Improved demand forecasting
  • Eliminated order and invoice errors
  • Reduced costs and headaches associated with PCI DSS compliance
  • Met audit and governance requirements
  • Reduced transaction costs
  • Improved customer loyalty

Until next week,

Kyle

Posted at 10:32 AM in Managed File Transfer, nuBridges, PCI DSS, retail | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

| |

Next »

Recent Posts

Recent Comments

Categories

Archives

More...

Subscribe to this blog's feed

About

nuBridges Web sites

Twitter Updates

    follow me on Twitter