“Mastering the Payment Card Industry Standard” article for CPAs

Regardless of whether or not a business suffers a data breach, failing to live up to the core data security framework of the standard can, under the terms of a business’s contract with a payment card company, result in sanctions, increased audits or bans prohibiting businesses from issuing or accepting credit or debit cards or otherwise playing a role in such transactions. more...

(60 MINUTES) Hi-Tech Heist: How Hi-Tech Thieves Stole Millions of Customer Financial Records

11/25/07 Consumers often feel safer using their credit cards in stores than online, where hackers are notorious for stealing personal information. But is it really safer? more on 60 minutes segment...

Finding the PCI DSS Merchant, Service and Compliance Level

But just because anConsumers often feel safer using their credit cards in stores than online, where hackers are notorious for stealing personal information. But is it really safer? organization is currently PCI DSS compliant right now, does not mean that it will continue to be compliant indefinitely. Compliance to the PCI DSS rules will continue indefinitely, as new technologies and new ways of hacking personal data continue also. more...

Don't blame PCI DSS for TJX troubles, IT pros say

"Looking at the 12 requirements [of PCI DSS], I have to wonder how could you make them any more lax than they are," said Keith Gosselin, IT officer for Biddeford Savings Bank in Maine. "These are the simplest of best practices. As a CIO, CEO or CFO, why would you not want your company to meet these requirements?" more... 

Visa rolls out new payment application security mandates

Amid signs of growing frustration in the retail community over the credit card industry's Payment Card Industry (PCI) data security requirements, Visa on Tuesday quietly rolled out an additional set of Payment Application Security Mandates for all companies that handle credit and debit card transactions. more...

PCI Data Security Standard compliance: Three steps to success

When Visa International, MasterCard International Inc., American Express Co., Discover Financial Services LLC and JCB Co., banded together in 2005 to draft the Payment Card Industry (PCI) Data Security Standard (DSS), they wanted to improve credit card security among merchants, retailers and banks that issue, use and process credit cards. For small and medium-sized businesses (SMBs), the burden to comply can be onerous. more...

Outsourcing's true value still goes largely untapped

Why does it matter? Well, saving money on IT matters. Seventy percent of IT decision makers tell Forrester they remain focused on finding ways to "curtail IT services spending" in 2007, Roehrig said. more...

PCI Security Standards Council to manage PED requirements

The PCI Security Standards Council, an independent industry standards body providing management of the Payment Card Industry Data Security Standard. more...

PCI COMPLIANCE DEADLINES HAVE RETAILERS SCRAMBLING

Visa's deadlines for PCI data security standard compliance have large retailers scrambling. But experts have little sympathy for those who've waited. The TJX breach should have been incentive enough. more...

Radio Sandy Spring Interviews NetBoundary

Bruce Teichman of All Covered discusses technology's role in small businesses today. Topics cover IT-related current events along with guests including business owners, vendors and technology experts who will share their stories on harnessing IT for business success. Click here to listen to the interview with O'Grady Milner and Trevor Jennings.

PCI to Put Level 3 & 4 Merchants Under Its Microscope

July 18, 2007 - More large merchants now meet the dictates of the Payment Card Industry data-security standard, or PCI, according to new numbers from Visa U.S.A. At the same time, Visa, the biggest payment-card network, is turning its security attention to small merchants, the source of the majority of data breaches.
more...

Web Application Firewall, Shedding some light on PCI DSS

The Payment Card Industry (PCI) Data Security Standards (DSS) are a broad set of requirements for protecting payment account data security. PCI, which is governed by the independent PCI Security Standards Council, was co-developed by the giants of the payment industry as a standard for consistent data security among the participants in payment transactions and includes requirements for security processes, policies and countermeasures to protect applications and networks. more..

Leading Industry Analyst Firm’s Magic Quadrant Positions LogLogic in the Leaders Quadrant

SAN JOSE, CA -- May 18, 2007-- LogLogic today announced that it has been positioned by Gartner, Inc. in the "Leaders" quadrant of the just-published Security Information and Event Management Magic Quadrant, 1Q071. Gartner evaluates companies based on their ability to execute - which includes service and support, market share and financial health, among other criteria - as well as completeness of vision, which includes breadth and functionality of offerings, successful implementations and ability to meet customer requirements both today and in the future. LogLogic is the industry-leader in the fast growing market for management and intelligence solutions for IT log data - the immutable fingerprint of user and systems activity. more...

SOX: Email retention is 'a legal Chernobyl'

The $1.45bn judgment against Morgan Stanley for deceiving billionaire Ronald Perelman over a business deal has a lesson all companies should learn - keeping emails is now a must, experts say. more...

Email Retention Policy

The Email Retention Policy is intended to help employees determine what information sent or received by email should be retained and for how long. The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via electronic mail or instant messaging technologies. more...

Intel Faces Up to E-Mail Retention Problems in AMD Lawsuit

Intel is facing some big-time legal problems in its 2-year-old legal tussle with a major competitor, AMD—largely because its own internal e-mail archiving system apparently isn't doing the job. more...

Chase Paymentech PCI Compliance Initiative For Level 4 Merchants

Chase Paymentech Solutions has announced a new data security compliance program targeted to small-to-medium sized merchants -- those who process less than 20,000 e-commerce and/or one million card present transactions of a single card brand annually. more...

Is PCI Compliance for Level 4 Merchants a Must?

Beginning June 30, 2007, PCI compliance will change for Level 4 merchants. PCI compliance is a must for merchants who process less than 20,000 transactions per year too. In other words, Level 4 merchants will no longer be exempt from PCI compliance. Industry insiders have noted that American Express has already began alerting Level 4 merchants about the need for compliance. The other credit card companies will probably follow suite shortly after. more...

Data Security Requirements

Your customers expect you to ensure their privacy--including when you store their Card information for recurring billing. We have a long-standing commitment to help businesses protect Cardmember information by keeping this sensitive information private and secure. Learn more about our security requirements for businesses that accept the Card so you can implement them at your company as well. more...

Data Security Do’s and Don’ts

Discover® Network recommends you take every precaution to secure cardholder information that is processed, stored or transmitted. Here are some general Do’s and Don’ts that every merchant should keep in mind. more...

MasterCard Brand Mark MasterCard Site Data Protection Program

Working through our acquiring members, the MasterCard SDP Program is designed to help members, merchants and Service Providers - Third Party Processors (TPPs) and Data Storage Entities (DSEs) - proactively protect themselves and the overall payment system against the threat of compromises. more...

Upholding the Highest Cardholder Data Security Standards for Visa Stakeholders

The Visa Cardholder Information Security Program (CISP) aims to secure Visa cardholder data wherever it resides, requiring that members, merchants, and service providers maintain the highest information security standards. more...

PCI Auditor's Discussion Board

Forum for banks, merchants and services providers impacted by the Payment Card Industry Data Security Standard. more...

Some PCI Progress, But Visa Sends a List of Non-Compliant Software

(April 26, 2007) Amid highly publicized data breaches at major chains like TJX Cos. Inc. and Stop & Shop Supermarket Cos., large merchants are making progress in achieving compliance with the Payment Card Industry data-security standard (PCI), though nearly two-thirds of them have still not been certified as meeting the standard. more...

Texas businesses liable for data security breaches, Jan 09

Last week, Texas legislation passed a bill that makes businesses liable for any monetary expenses resulting from data security breaches of their company. more...

Texas Legislature Pushes Credit Card Security Bill

Texas-based merchants may soon be law-bound to comply with data-security standards set by the Payment Card Industry (PCI). more...

PCI DSS: The standards should not be lowered

In a recent article featured on SearchSecurity.com, a chief security officer of a payment processor expressed his concerns and opinions on the PCI Security Standards Council and the oversight of the PCI Data Security Standard (DSS), as they specifically related to his company's interests. more..

Alarmed By Data Breaches, Texas Eyes Mandating PCI Compliance

Regulators in Texas are getting serious about protecting credit and debit card transactions. This Computerworld story on Payment Card Industry (PCI) more...

Nine-Month TJX Loss from Data Breach Could Hit $29 Million

Data breach—card information of some 46 million consumers fell into unauthorized hands—it was apparently not in compliance with retail industry PCI more...

Texas PCI DSS Safe Harbor Bill 3222

The Texas House of Representatives  House Bill 3222 that will codify the Payment Card Industry Data Security Standard into law. Specifically the law provides safe harbor those companies that are compliant with PCI DSS, and places liability for card re-issuing fees to those who are not compliant. This has much more momentum than the Mass. bill, and has tremendous support. more...

Bill Protecting Consumer Financial Data Passes Texas State House

DALLAS, May 11 /PRNewswire/ -- The Texas House of Representatives voted 139 to 0 in favor of a data security breach bill, (House Bill 3222), which has been strongly supported by the Texas Credit Union League from the start. more...

PCI Codified into Texas law (nearly)

The Texas House of Representatives is in the process to enacting House Bill 3222 that will codify the Payment Card Industry Data Security Standard into law. Specifically the law provides safe harbor those companies that are compliant with PCI DSS, and places liability for card re-issuing fees to those who are not compliant. This has much more momentum than the Mass. bill, and has tremendous support. This is a trend that should be expected to domino across the country, as breaches due to another parties lack of controls continue to impact businesses in other regions. more...

TJX turbulence: Time to board the PCI ship

TJX turbulence: Time to board the PCI ship payment fraud is big business. But even more troubling is the notion that unless and until everyone in the transaction chain accepts this fact and takes action to remediate the problem, it only can worsen. And that's certain to erode confidence, especially consumer confidence, in retail payment systems. more...

The Politics of PCI/DSS

Yesterday’s front-page Wall St. Journal article about TJX (”How Credit Card Data Went Out Wireless Door”, May 4, 2007) takes a disappointing, though expected, turn at the end. Referring to proposed credit card security legislation, they write: “One bill in Massachusetts would impose full financial responsibility for any fraud-related losses, including costs of reissuing of cards, on companies whose security systems are breached.” The context suggests that by companies, they mean companies that aren’t card-issuing banks, namely downstream entities like merchants (e.g. TJX) and payment processors (e.g. CardSystems). more...

What you need to know if your business processes credit cards.

Steak n Shake beefs up security

Credit card security may not exactly be a top-of-mind item for customers dining on steakburgers and milkshakes at any of the 450-odd Steak n Shake restaurants scattered around the Midwest and Southeast. more...

State Security Breach Notification Laws

At least 35 states have enacted legislation requiring companies and/or government agencies to disclose security breaches involving personal information. more...

Businesses need to be compliant with new credit card security standards

Time is running out for hotels, restaurants and other organisations that handle credit card payments to make their IT systems compliant with a new security standard, experts have warned. more...

Consumers will stop shopping at stores that suffer data breaches

A report out Thursday from Javelin Strategy & Research shows that 77 percent of 2,750 consumers polled said they would stop shopping at stores that suffer data breaches. more...

WHO'S BEHIND CRIMINAL BOT NETWORKS?

They have infected perhaps 100 million computers with viruses, turning the PCs around the world into an army of willing criminal assistants known as “bots.” more...

Breach over Chipotle Mexican Grill's

Chipotle Mexican Grill's experience serves as a cautionary tale: Prior to August 2004, the possible theft of patrons' card data led to up to 2,000 incidents of fraudulent charges totaling $1.4 million, for which the restaurant became liable. While the company has not been able to definitively show that data thefts occurred, it did find itself holding the bag. Subsequently, the company determined its software had been retaining track data, and some Internet gateways lacked security measures. more...

Shareholders to sue TJX over breach:

TJX Companies Inc. continues to suffer the consequences of a massive data breach that exposed sensitive customer data to possible identity fraud. The retail giant now faces a lawsuit from one of its larger shareholders. more...

PCI DSS auditors see lessons in TJX data breach:

TJX Companies Inc. violated some of the basic tenets of the PCI Data Security Standard (PCI DSS) and according to several PCI auditors, it will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data. more...

The PCI Noose is Tightening:

PCI/CISP has been a requirement since 2001 and yet we’ve found ways to “back-burner” compliance. We’ve distracted ourselves with a million other operational tasks and pressed for budgets to fuel those initiatives. Meanwhile, the criminals of the world were stealing at a record rate causing the security sector to literally change overnight. All kinds of privacy issues surfaced through mainstream media sources, corporate blunders, and whistle blowers. Before long, privacy and data protection were top issues with politicians and CEOs alike. more...

Four Cornerstones to a Successful MSSP Partnership:

Securing information assets has become a highly complex function demanding significant investment in process definition, security expertise, systems, and infrastructure. Compounding these challenges, it requires internal alignment between the various business units, IT organization and security teams to ensure the tensions between availability and security are well balanced. Security is also a 24x7 function, as threats can emerge at anytime. more...

Information Security Topics: more...

PCI Security Standards Council Chair Seana Pitt: Awareness Is Essential:

The Payment Card Industry Security Standards Council (PCI) launched in September as a joint venture between Visa International, MasterCard Worldwide, Discover Financial Services, JCB and American Express (NYSE: AXP) to continuously improve the data security standard. more..

Firms seeking PCI compliance face dilemma:

Many are complaining that the Payment Card Industry Data Security Standard (PCI-DSS), that industry's self-regulation for safeguarding cardholder information, lacks teeth. more...

PCI DSS is about managing risk:

To add to the discussion about PCI's movement, I think we should commend the Card Associations for self-regulating as a private industry. The Payment Card Industry Data Security Standard (PCI DSS) was a program developed to manage RISK, not solely SECURITY. more...

Cover story: PCI persists:

When Sara Lee Corporation began its initiative to comply with payment card industry (PCI) data security standards (DSS) two years ago, its security experts had a lot of questions about the requirements. According to Maurice Hampton, senior manager of information security architecture for the company, Sara Lee had to jump through a lot of hoops before it could even get a clear picture of what it would take to comply. more...

Chase Paymentech PCI Compliance Initiative For Level 4 Merchants:

Chase Paymentech Solutions has announced a new data security compliance program targeted to small-to-medium sized merchants -- those who process less than 20,000 e-commerce and/or one million card present transactions of a single card brand annually. more...

Big trouble if PCI-DSS requires CSRF:

PCI-DSS is requiring more web application security focus probably because most of the CC# heists we're reading about either have to do with a lost/stolen PCs or web application hacks. more...

PCI Security Standards Council: Building Trust:

The newly formed PCI Security Standards Council will go a long way to further the industry's awareness of credit card security, and help to make an excellent program even better. This will, over time, improve consumer trust in e-commerce -- and everyone will benefit if it's successful in that goal alone. more...