Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

PCI Security Standards Council

PCI Council collaborates with industry to speed secure chip card acceptance for merchants

The PCI Security Standards Council has announced that it will join with the Payments Security Taskforce and EMV Migration Forum to launch the U.S. EMV VAR Qualification Program, a chip education curriculum and accreditation initiative that will help merchants and their partners securely implement chip card solutions.

The U.S. EMV VAR Qualification Program aims to streamline and simplify the testing and certification process for Value Added Resellers (VARs) and Independent Software Vendors (ISVs) to help them help securely implement chip card solutions for their merchant customers in advance of the 2015 liability milestone.

The optional program consists of three central elements:

  1. An educational curriculum from the EMV Migration Forum that provides a clear understanding of chip technology for payment cards in the U.S. market
  2. A listing on the PCI Security Standards Council website of all service providers independently accredited by the major payment networks to provide chip recommendations and implementation
  3. A pre-qualification process run by the accredited service providers to help VARs and ISVs begin the implementation process before they work with acquirers for final certification

We heard from the acquirer community that there was a limitation on the time and resources available to help the VAR community best prepare for the broad adoption of chip,” said PCI SSC Chairperson Bruce Rutherford. “This coordinated effort across all industry players will help eliminate the bottleneck and speed the certification of smaller merchants’ chip card acceptance efforts.

Added PCI SSC General Manager Stephen W. Orfei, “We’re pleased to partner with the Payment Security Taskforce and the EMV Migration Forum in this important initiative to drive adoption of EMV chip technology in the U.S., a critical security layer that when combined with PCI Standards as a layered approach will help organizations better protect their customers’ valuable payment card data

The coordinated effort will begin with the launch of educational resources for the VAR and ISV communities to establish an understanding of chip technology, including targeted webinars and self-service web portals on how to build a business case for chip, an overview of a chip card transaction and how to navigate the testing and certification process.

Each VAR will then have the ability to pre-qualify its payment solution for each of the major payment networks with an accredited service provider based on its knowledge of chip technology, and work with its acquirer to receive a final certification of the solutions a merchant would need to use to process a chip card transaction.

Details of the education programme can be found here.

Details of the pre-qualification process can be found here.

PCI Security Standards Council announces new board of advisors

The PCI Security Standards Council (PCI SSC), announced election results for the 2013-2015 PCI SSC Board of Advisors.

The Board will represent the PCI community by providing counsel to SSC leadership.

The Council’s more than 690 Participating Organizations selected individuals from the following organizations to represent their industry’s unique perspectives in the development of PCI Standards and other payment security initiatives:

  • Bank of America N.A.
  • Bankalararasi Kart Merkezi
  • Barclaycard
  • British Airways PLC
  • Carlson
  • Cartes Bancaires Cielo S.A.
  • Cisco
  • Citigroup Inc.
  • European Payment Council AISBL
  • FedEx
  • First Bank of Nigeria
  • First Data Merchant Services
  • Global Payments Inc.
  • Ingenico
  • Micros
  • Middle East Payment Systems
  • PayPal Inc.
  • Retail Solutions Providers Association
  • RSA, The Security Division of EMC
  • Starbucks Coffee Company
  • VeriFone Inc.
  • Wal-Mart Stores, Inc
  • Woolworths Limited

Board of Advisor members provide strategic and technical input to PCI SSC on specific areas of Council focus. Past board members have provided reach into key industry verticals and geographies to help raise awareness and adoption of PCI Standards; have shared their experience with implementing PCI Standards in presentations at the annual Community Meetings; and have contributed guidance on training product development and led Special Interest Groups (SIGs).

Active involvement from our Participating Organization base is critical to ensuring the PCI Standards remain at the front line for protection against threats to payment card data. Once again I am impressed by the turn out in the election process. It’s particularly encouraging to see new markets looking towards open global standards like the PCI Standards to help secure payment card data worldwide,” said Bob Russo, general manager, PCI Security Standards Council.

The Council and wider stakeholder community will benefit from the breadth of experiences and perspectives that this new board represents.” The board will support the Council’s mission to raise awareness and drive adoption of PCI Standards worldwide and will kick off its work in June with its first face-to-face meeting with Council management. “This year saw more European involvement than ever in the Board of Advisors election process. Although Europe contains mature EMV markets, this level of involvement in the PCI SSC confirms that the combination of PCI Standards and EMV chip is a powerful force for protecting payment card data,” said Jeremy King, European director, PCI Security Standards Council. “Our new board is a truly global group, and the Council will benefit greatly from its input as we continue to drive awareness and adoption of PCI Standards worldwide.

.

PCI Security Standards Council publishes card production security requirements

The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production.

The standard consists of two sets of requirements:

  1. PCI Card Production Physical Security Requirements
  2. PCI Card Production Logical Security Requirements

Together, these documents provide card vendors with a comprehensive source of information describing the security requirements to follow for card production activities including card manufacture, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization.

Formerly managed as separate requirements by each payment card brand, the Council aligned these requirements and solicited feedback from the PCI community to produce one set of criteria recognized across the industry. The resulting standard is designed to secure the components and sensitive data involved in the production of payment cards and protect against the fraudulent use of card materials.

It’s broken down into two core areas:

  1. Physical security requirements – for all card vendors, these requirements address the presence, movement, and accountability of a card, including tangible features such as the security of the premises, personnel access to secure areas, and CCTV surveillance.
  2. Logical security requirements – for card personalization vendors, these requirements address threats to the confidentiality of personalization data during data transfer, access, storage, and destruction; and all aspects associated with cryptographic key management, including the protection of issuer keys used in the personalization process.

The security requirements are available for immediate download here. Vendors should work with the individual card brands to confirm timing for when future security reviews must be performed against the new PCI Card Production Security Requirements.

In line with other PCI Standards, the requirements will be updated on a three-year lifecycle, based on feedback from the PCI community.

There are a lot of pieces involved in securely producing payment cards, from design all the way through delivery,” said Bob Russo, general manager, PCI Security Standards Council. “The publication of these requirements gives card vendors one set of criteria to follow, and as we’ve seen with our other standards, will help drive improved security across the payments chain

PCI SSC releases PCI DSS Cloud Computing Guidelines

The PCI Security Standards Council has published the PCI DSS Cloud Computing Guidelines Information Supplement, a product of the Cloud Special Interest Group (SIG).

The guide is an excellent introduction to the “cloud” and offers specific and helpful guidance on what to consider when processing payments involving the cloud as well as the storage of sensitive data.

One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. “One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud. 

The PCI DSS Cloud Computing Guidelines Information Supplement builds on the work of the 2011 Virtualization SIG, while leveraging other industry standards to provide guidance around the following primary areas and objectives:

  • Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.
  • PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
  • PCI DSS Compliance Challenges– describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.

The document also includes a number of appendices to address specific PCI DSS requirements and implementation scenarios, including: additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; sample matrix for documenting how PCI DSS responsibilities are assigned between cloud provider and client; and a starting set of questions that can help in determining how PCI DSS requirements can be met in a particular cloud environment.

Merchants who use or are considering use of cloud technologies in their cardholder data environment and any third-party service providers that provide cloud services or cloud products for merchants can benefit from this guidance. This document may also be of value for assessors reviewing cloud environments as part of a PCI DSS assessment.

At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” said Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.

For a link to the full document please use my PCI Resources page here.

.

PCI SSC’s insights on mobile, encryption and payment security following the North American community meeting

After the sixth annual North American Community Meeting in Orlando, Florida which was attended by over 1,000 stakeholders representing 460 organizations from 17 countries to discuss the PCI SSC summaries the key discussion topics as: –

  • Feedback on the standards in preparation for the release of the next version of the PCI DSS and PA-DSS in 2013
  • New guidance on secure mobile payment acceptance application development
  • Updates to the Council’s Point-to-Point Encryption (P2PE) program
  • Newly released guidelines for ATM security
  • The Council’s new training programs and professional qualifications
  • Updates from PCI Special Interest Groups on cloud, eCommerce and risk assessment

“The Community Meetings play an important part in bringing together PCI stakeholders to discuss the latest payment card security efforts, and we’re encouraged to see the continued growth of interest and participation in this initiative,” said Bob Russo, general manager, PCI Security Standards Council. “Gaining the feedback from our Participating Organizations is absolutely vital for us to develop new guidance on key topics such as mobile payment acceptance and ATM security, as well as in the on-going improvement of the PCI Standards. The input and discussion at this year’s meetings are especially important as we look to introduce the next version of the PCI Standards in 2013.”

“It is important for us to meet face-to-face with our stakeholders, not only to update them on the most recent developments, but also to have one-on-one interactions and personal conversations on the issues that matter most to them,” said Jeremy King, European director, PCI Security Standards Council. “We look forward to seeing more of our global counterparts in Dublin for the European Community Meeting on October 22-24, 2012.”

See you in Dublin next month.

PCI Security Standards Council announces qualified integrators and resellers certification program

The PCI SSC quotes results from the Trustwave 2012 Global Security Report which states that 76% of the breaches they investigated were a result of security vulnerabilities introduced by a third party responsible for system support, development and/or maintenance of business environments.

Errors introduced during implementation, configuration and support of PA-DSS validated payment applications by third parties into merchant environments was identified as a significant risk to the security of cardholder data. Specifically, small businesses in the food and beverage industry that rely heavily on outsourcing are particularly vulnerable, as they made up the bulk of the compromises.

To help address this security challenge, merchants, acquirers, payment software vendors and card brands participated in a Council taskforce to evaluate market needs and make recommendations on how to address them. This included development of more guidance and best practices for integrators and resellers and a global list of PCI Council certified integrators and resellers.

The Qualified Integrators & Resellers (QIR) program will provide integrators and resellers that sell, install and/or service payment applications on behalf of software vendors or others the opportunity to receive specialized training and certification on the secure installation and maintenance of validated payment applications into merchant environments in a manner that supports PCI DSS compliance. The PCI SSC will maintain a global list of QIRs, ensuring merchants a trusted resource for selecting PCI approved partners. The PCI SSC will be offering training online in late summer 2012, and the validated list for merchants will be published on the PCI SSC website shortly thereafter. More details on the program, including eligibility requirements and training course information and costs will be made available soon. In the meantime, those interested in participating in the program can click here or email questions to qir@pcisecuritystandards.org.

“Product solutions that are a good fit for a PCI compliant organization need to be installed, configured, and managed properly to support PCI DSS,” said Diana Kelley, principal analyst at security IT research firm SecurityCurve. “Integrators and resellers need to understand what makes a solution effective for protecting cardholder data and the cardholder data environment in order to provide the most value to their customers. That’s why I think the new integrator and reseller certification and training for 2012 is a welcome addition to the Council’s comprehensive training offerings.”

“This program comes as a direct result of industry feedback and stakeholder requests for greater quality assurance and accountability around the secure installation of payment software,” said Bob Russo, general manager, PCI Security Standards Council. “Not only will it help integrators and resellers better understand how to address some of the basic security flaws we’re seeing that can be easily avoided, but it will also make it easier for merchants to have confidence in the services being provided to them. Retailers and franchise operators alike will have a go-to resource they can trust for making sure their applications and systems are being installed and maintained properly.”

Reproduced from the PCI SSC Press Release.

.

The PCI SSC has opened its registration for the 2012 PCI Community Meetings

PCI North American Community Meeting will be held on September 12-14, 2012 in Orlando, Florida

PCI European Community Meeting will be held this year in Dublin, Ireland, October 22-24, 2012

This year’s meetings offer Council Participating Organizations and PCI stakeholders access to three days of knowledge sharing, networking and learning, including keynote presentations from industry experts, PCI case studies, and technical sessions.

“2012 is a critical year in the standards development process that hinges on feedback from the PCI community. At this year’s meeting, we’ll focus on discussing stakeholder feedback on the standards in preparation for release of the next versions of the PCI DSS and PA-DSS in 2013, as well as share our successes and challenges, ideas and suggestions as a community,” said Bob Russo, general manager, PCI Security Standards Council. “We’ll discuss Council initiatives, including the Point-to-Point Encryption (P2PE) program, mobile payment acceptance security and other technology areas, as well as the work being done through our Special Interest Groups. Attendees will also have the opportunity to take advantage of our PCI SSC Training offerings.”

New to this year’s agenda, the Community Meetings will also feature:

  • Increased networking opportunitie
  • Targeted breakout sessions for different stakeholder groups
  • More industry case studies delivered by members of the PCI community
  • Expanded opportunities to meet with card brands
  • Two-day vendor showcase
  • Event mobile app to help make the most of attendees’ time

Special sessions for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) will be held at the meetings.

Several training courses will also be available. These offerings provide participants the opportunity to combine the value of peer to peer education at the Community Meeting with more formal training sessions, maximizing their time in Orlando and Dublin.

“The record attendance at last year’s meeting is a strong testament to the work that together we as a community are doing to drive payment security forward globally, but especially within Europe,” said Jeremy King, European Regional Director. “I’m thrilled about the growing involvement of the PCI community in Europe and look forward to coming together in Dublin to continue this momentum.”

Attendance fees:

  • Participating Organization: First two registrants are free; $395 for additional registrants
  • Qualified Security Assessor (QSA)/Approved Scanning Vendor (ASV)/Internal Security Assessor (ISA)/PIN Transaction Security (PTS) members: First registrant is free; $695 for additional registrants

For more information, or to register

See you in Dublin.

.

PCI Security Standards Council pushing for feedback as window starts to close

The Payments Security Council (PCI) Security Standards Council (PCI SSC) called upon its global constituents to submit feedback for development of the next version of the PCI Data Security Standard (DSS) and PA-DSS.

As part of the three-year life-cycle for standards development, the official feedback period, which opened in November 2011, will be closing on April 15, 2012.

To make it even easier to submit feedback, the process has been streamlined and simplified, with a readily accessible tool that can be accessed online at https://programs.pcissc.org/

“Feedback is the lifeblood of the standards development process,” said Bob Russo, general manager of the Council

“We’ve had great participation so far, but we want to ensure that the standards continue to be the most effective set of best practices against payment data breaches. We can only evolve these best practices through the experience and feedback of our stakeholders.”

.

PCI Security Standards Council continues focus on mobile payment acceptance security

The PCI Security Standards Council (PCI SSC) is participating in a Congressional hearing titled “The Future of Money: How Mobile Payments Could Change Financial Services,” held by the Subcommittee on Financial Institutions and Consumer Credit.

Representatives include the:

  • Atlanta Federal Reserve
  • MasterCard
  • Smart Card Alliance
  • The Consumer Union

The PCI Security Standards Council Chief Technology Officer Troy Leach served as an expert panelist, providing insight into security considerations when it comes to payment acceptance using mobile technology, as well as the Council’s work to date and future plans in this area.

The hearing is the first in a series of three designed to examine the technology:

  • by which mobile transactions are conducted
  • identify potential security problems
  • regulatory barriers that consumers, merchants, and financial institutions might face when using mobile payment services
  • consider whether statutory changes are necessary as mobile payment systems become more widely available and are increasingly used.

Participation in the hearing comes as part of the Council’s and its stakeholders’ focused efforts in the area of mobile acceptance security.

The area of mobile payments includes two different environments for the use of mobile devices:

  1. merchant acceptance applications, phones, tablets and other mobile devices are used by merchants as point-of-sale terminals in place of traditional hardware terminals
  2. consumer facing applications where the phone is used in place of a traditional payment card by a consumer to initiate payment

The Council’s security efforts to date in this area have been concentrated on the first environment, securing the use of mobile devices as a point of sale acceptance tool.

 “Mobile technology offers exciting potential to the payments space,”

said Troy Leach, chief technology officer, PCI Security Standards Council.

 “To help realize this securely, the Council is working with its global stakeholders to develop the industry standards and resources necessary for the protection of cardholder data across all payments channels, and for the reduction of fraud for consumers and businesses globally.”

In 2011, the Council issued guidance on the types of payment applications that can allow organizations to accept and process payments securely using mobile technology, including a checklist resource to help explain simply and succinctly to anyone currently considering mobile acceptance solutions which types of application support PCI Standards.

The Council also identified the types of applications that fall short of security standards for secure mobile acceptance. In collaboration with industry subject matters experts, including software application developers, the Council is continuing to examine this area to determine whether the inherent risk of card data exposure in these applications can be addressed by existing PCI Standards, or whether additional guidance or requirements must be developed.

Compliance by device vendors with these requirements now allows merchants to use plug in devices with mobile phones to swipe cards securely by first encrypting the data at the point that the card is swiped to minimize risk by making it unreadable. The mobile device acts as a conduit and has no ability to decrypt the encrypted data.

In the coming months the Council plans to release specific guidance for merchants on how to effectively use these security requirements in conjunction with encryption technology to more easily and securely accept payments using mobile technology.

Later this year the Council will also produce a best practices document for securing mobile payment transactions.

PCI and mobile payment security will be a topic of discussion at the Council’s Annual Community Meetings scheduled for

  • September 12-14 in Orlando, Florida
  • October 22-24 in Dublin, Ireland – if you are going to Dublin see you there

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: