Posts Tagged Payment Card Industry Data Security Standard
PCI Security Standards Council announces new board of advisors
Posted by brianfpennington in PCI DSS Compliance on 16/05/2013
The PCI Security Standards Council (PCI SSC), announced election results for the 2013-2015 PCI SSC Board of Advisors. The Board will represent the PCI community by providing counsel to SSC leadership. The Council’s more than 690 Participating Organizations selected individuals from the following organizations to represent their industry’s unique perspectives in the development of PCI Standards […]
PCI Security Standards Council publishes card production security requirements
Posted by brianfpennington in PCI DSS Compliance on 09/05/2013
The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production. The standard consists of two sets of requirements: PCI Card Production Physical Security Requirements PCI Card Production Logical Security Requirements Together, these documents provide card vendors with a comprehensive source of information describing the security requirements […]
Sometimes it is a good idea to have in-house skills
Posted by brianfpennington in PCI DSS Compliance on 20/03/2013
After many discussions with people responsible for achieving and maintaining PCI DSS compliance within their organisation and hearing about their problems and pains, I often think about the skills they need and where they can get them. They could recruit, outsource or train with training being the most cost effective. I noticed on the PCI […]
Merchant sues VISA. Biting the hand that feeds you?
Posted by brianfpennington in PCI DSS Compliance on 18/03/2013
I know that if there were no merchants there would be no credit card companies and I know that the “alternative” payments market is growing, such as PayPal and V.me, but at this time it is fair to say that consumers still favour credit cards when it comes to online payments. This is why when I […]
PCI SSC releases PCI DSS Cloud Computing Guidelines
Posted by brianfpennington in PCI DSS Compliance on 07/02/2013
The PCI Security Standards Council has published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG). The guide is an excellent introduction to the “cloud” and offers specific and helpful guidance on what to consider when processing payments involving the cloud as well as the storage of […]
PCI SSC releases its PCI DSS E-commerce Security Guidelines
Posted by brianfpennington in Uncategorized on 01/02/2013
Hot on the heels of the ATM Guidelines the PCI SSC has released the PCI DSS E-commerce Guidelines Information Supplement. The guidelines are designed to help e-commerce merchants to decide on which technologies and third party service providers to choose. The e-commerce Special Interest Groups (SIGs) helped put the guidelines together and that meant using their […]
Want to be PCI DSS compliant? Here are 5 mistakes to avoid.
Posted by brianfpennington in PCI DSS Compliance on 09/01/2013
Charles Denyer a QSA with NDB has produced a list of 5 Mistakes all people striving for PCI DSS compliance must avoid. Not conducting a formal Readiness Assessment. It’s important with PCI DSS compliance to truly understand all facets of the Payment Card Industry Data Security Standards (PCI DSS) provisions, which essentially means answering the “who, what, […]
PCI SSC’s insights on mobile, encryption and payment security following the North American community meeting
Posted by brianfpennington in PCI DSS Compliance on 19/09/2012
After the sixth annual North American Community Meeting in Orlando, Florida which was attended by over 1,000 stakeholders representing 460 organizations from 17 countries to discuss the PCI SSC summaries the key discussion topics as: – Feedback on the standards in preparation for the release of the next version of the PCI DSS and PA-DSS […]
PCI Security Standards Council releases best practices for mobile software developers
Posted by brianfpennington in PCI DSS Compliance on 14/09/2012
During this week’s PCI SSC US Community meeting a demonstration of a Mobile attack highlighted the need for more secure development practices in the mobile payments space. The demonstration coincided and supported the release of the new guidelines the PCI Mobile Payment Acceptance Security Guidelines which offer software developers and mobile device manufacturer’s guidance on […]
The average cost of a breach event is $7.2 million or $214 per compromised record
Posted by brianfpennington in Uncategorized on 13/09/2012
In promoting their Internal Security Assessor Training in Dublin the Payment Card Industry Security Standards Council (PCI SSC) sent an email quoting the Verizon Data Breach Investigation Report 2011 statistics: The average cost of a breach event is $7.2 million The average cost per compromised record is $214 The reason they were using the statistics […]
PCI Security Standard Council releases summary of feedback on PCI standards
Posted by brianfpennington in PCI DSS Compliance on 09/09/2012
The Payment Card Industry Security Standards Council releases a summary of feedback from the PCI community on the PCI Security Standards. The document highlights key themes coming out of the Council’s formal feedback period on version 2.0 of the PCI DSS and PA-DSS, in preparation for the next release of the standards in October 2013. […]
65% of businesses do not protect their customers’ private data
Posted by brianfpennington in PCI DSS Compliance on 24/08/2012
According to a survey by GreenSQL more than 65% of businesses do not protect their customers’ private data from unauthorised employees and consultants. The results are interesting because every day we hear of another data breach or another form of malware which can steal data or at least damage data and you would think that […]
PCI Security Standards Council’s Qualified Integrators and Resellers program is now live
Posted by brianfpennington in PCI DSS Compliance on 15/08/2012
The PCI SSC’s the Qualified Integrators and Resellers (QIR)™ Program will train and qualify integrators and resellers that sell, install and/or service payment applications on the secure installation and maintenance of PA-DSS validated payment applications to support merchant PCI DSS security efforts. Eligible organizations can now register for the QIR program by visiting the PCI […]
PCI Security Standards Council Internal Security Assessor (ISA) training now available as an eLearning course
Posted by brianfpennington in Uncategorized on 03/08/2012
The new self-paced eLearning course is an online version of the Council’s existing instructor-led ISA training. ISA training provides businesses the opportunity to educate qualifying employees responsible for managing their PCI DSS security programs on how to assess and validate their company’s adherence to PCI Security Standards. The curriculum is comprised of a four-hour online pre-requisite […]
Criminal logic; follow the money and find easy targets
Posted by brianfpennington in PCI DSS Compliance on 16/07/2012
Anecdotal information shows that small businesses are just as likely to become victims of an attack as large businesses. Why? Criminals do not discriminate, a dollar is a dollar, a credit card is a credit card, no matter where it is stolen from. Small businesses cannot invest as much in protection, management, procedures and processes as larger […]
PCI Security Standards Council releases Point-to-Point encryption (P2PE) resources
Posted by brianfpennington in PCI DSS Compliance on 29/06/2012
The PCI Security Standards Council (PCI SSC), has announced availability of the Point-to-Point Encryption (P2PE) Program Guide and Self-Assessment Questionnaire (SAQ) to support implementation of hardware-based point-to-point encryption (P2PE) solutions. They are downloadable from the PCI SSC website in an MS Word format. The resources follow the Council’s release of updated Solution Requirements and Testing […]
Database security and SIEM are the top Risk and Compliance concerns
Posted by brianfpennington in brian pennington on 30/05/2012
The McAfee report Risk and Compliance Outlook: 2012, has been published and has discovered Database Security and Security Information and Event Management (SIEM) were among the top priorities due to an increase in Advanced Persistent Threats (APT). Database hold the valuable data the criminals are searching for, it therefore follows that Database Security is a growing issue […]
PCI Security Standards Council announces qualified integrators and resellers certification program
Posted by brianfpennington in PCI DSS Compliance on 10/05/2012
The PCI SSC quotes results from the Trustwave 2012 Global Security Report which states that 76% of the breaches they investigated were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments. Errors introduced during implementation, configuration and support of PA-DSS validated payment applications by third parties […]
PCI Point-to-Point Encryption Solution Requirements and Testing Procedures v1.1
Posted by brianfpennington in PCI DSS Compliance on 27/04/2012
The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 1.1 for Point-to-Point Encryption (P2PE). The press release can be found here. The main document is 210 pages long but for those who have looked into this before there is a short four page summary of changes from version […]
Verizon 2012 Data Breach Investigation Report – a summary with a PCI DSS view point
Posted by brianfpennington in PCI DSS Compliance on 27/03/2012
The 2012 Verizon Breach Investigation Report is out and I have attempted to summaries all 80 pages below. The study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service. The […]
Brian Pennington
-
