Category: Credit Card Security

September 10th, 2013 by Admin

Verizon annually releases it’s Data Breach Investigation Reports which probes data breaches in various industries and studies the nature of fraud reported by merchants and other agencies. In the past Verizon has worked with the U.S. Secret Service, now the information gathered on the electronic payment breaches have expanded to Police Central e-Crime Unit, Australian Federal Police, the Dutch National High Tech Crime Unit, and the Irish Reporting & Information Security Service in addition to the United States Secret Service.

One area that Verizon broke out and performed independent studies on was the healthcare industry. In 2010 the Health Information Technology for Economic and Clinical Health (HI TECH) Act included a provision to report healthcare and medical data breaches to a variety of outlets including the Secretary of Health and Human Services. Medical record protections keep the casual cyber criminal at bay but the majority of security data breaches are in large part targeted at information attackers can profit from. The data cybercriminals target most often includes health insurance data, personal and electronic payment transaction data. Hardware is another assett that is targeted both because of the data on the hardware and the cost of the hardware itself.

Remote data breaches on health care providers were typically carried out through some form of hacking or malware. That is consistent with other industries in the report and is considered the favorites among cybercriminal organizations. Exploiting of default or guessable credentials rang in at the top of the chart. Of those, point of sale payment systems and desktop computers were the highest targeted areas of the health care industry. Although electronic medical records and transcriptions stored on file and database servers were a target, those criminals were more likely interested in indentity theft and fraudulent loans than what was actually in any individuals medical records.

Point of sale payment terminals are the most targeted assett with POS servers and gateways as the second most targeted. Like all other sectors, professional criminals tend to follow the money trail and that ends up being at POS payment systems. So much so that even desktop computers and emails try to get malware onto medical systems to render security policies inneffective. To find out how to better protect medical and healthcare records from cybercriminals and data breaches read the reports here and here.

Posted in Best Practices for Merchants, Credit Card Security, Point of Sale Tagged with: , , , , , , , , , ,

August 16th, 2013 by Admin

Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of electronic transaction security standards published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 Change Highlights as a preview of the new version of the standards coming in November 2013. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and transaction security as a shared responsibility with merchant account holders.

The seven-page document is part of the Council’s commitment to provide as much information as possible during the development process and eliminate any perceived surprises for organizations in their PCI credit card security planning. Specifically, the summary will help PCI Participating Organizations and the assessment community as they prepare to review and discuss draft versions of the standards at the 2013 Community Meetings in September and October.

Changes to the standards are made based on feedback from the Council’s global constituents per the PCI DSS and PA-DSS development lifecycle and in response to market needs. Key drivers for version 3.0 updates include: lack of education and awareness; weak passwords, authorization, verification and authentication challenges; third party payment security challenges; slow self-detection in response to malware and other threats; inconsistency in assessments.

“Today, most organizations have a good understanding of PCI DSS and its importance in securing credit card data during transactions, but implementation and maintenance remains a struggle – especially in light of increasingly complex business and payment technology environments,” said Bob Russo, PCI SSC general manager. “The challenge for us now is providing the right balance of flexibility, rigor and consistency within the standards to help organizations make payment security business-as-usual. And that’s the focus of the changes we’re making with version 3.0.”

Based on feedback from the industry, in 2010 the Council moved from a two-year to a three-year standards development lifecycle. The additional year provides a longer period to gather feedback and more time for organizations to implement changes before a new version is released. Version 3.0 will introduce more changes than version 2.0, with several new sub-requirements. Proposed updates include:

  • Recommendations on making PCI DSS business-as-usual and best practices for maintaining ongoing PCI DSS credit card compliance
  • Security policy and operational procedures built into each requirement
  • Guidance for all requirements with content from Navigating PCI DSS Guide
  • Increased flexibility and education around password strength and complexity
  • New requirements for point-of-sale terminal security
  • More robust requirements for penetration testing and validating segmentation
  • Considerations for credit card data in memory
  • Enhanced testing procedures to clarify the level of validation expected for each requirement
  • Expanded software development lifecycle security requirements for PA-DSS application vendors, including threat modeling

Note that these updates are still under review by the PCI community. Final changes will be determined after the PCI Community Meetings and incorporated into the final versions of the PCI DSS and PA-DSS published in November.

The change highlights document with tables outlining anticipated updates is available on the PCI SSC website:https://www.pcisecuritystandards.org/security_standards/documents.php

The Council will host a webinar series for the PCI community and the general public to outline the proposed changes. To register, visit: https://www.pcisecuritystandards.org/training/webinars.php

“PCI DSS and PA-DSS 3.0 will provide organizations the framework for assessing the risk involved with technologies and platforms and the flexibility to apply these principles to their unique payment and business environments, such as e-commerce, m-commerce, mobile acceptance or cloud computing,” added Troy Leach, PCI SSC chief technology officer.

PCI DSS and PA-DSS 3.0 will be published on 7 November 2013. The standards become effective 1 January 2014, but to ensure adequate time for the transition, version 2.0 will remain active until 31 December 2014.

For more information and to register for the 2013 Community Meetings, please visit:https://www.pcisecuritystandards.org/communitymeeting/2013/

About the PCI Security Standards Council

The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has more than 650 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.

Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security-standards-council

Join the conversation on Twitter: http://twitter.com/#!/PCISSC

Posted in Credit Card Security, Digital Wallet Privacy, Mobile Payments, Mobile Point of Sale, Point of Sale Tagged with: , , , , , , , ,

August 12th, 2013 by Admin

Small businesses are gaining traction in the mobile payment landscape. Mobile credit card readers attached to a smartphone or tablet now account for billions of dollars in m-commerce sales. “Together, mobile and social are transforming the way SMBs acquire and retain customers, With the heavy use of social media, SMB marketing is quickly becoming a two-way engagement rather than a one-way promotion.” Said Steve Marshall of BIA/Kesley. As more people switch to and upgrade their smartphones, AT&T, Verizon and T-mobile are looking to partner with digital wallet provider Isis. Read more of this article »

Posted in Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, Mobile Payments, Near Field Communication, Smartphone Tagged with: , , , , , , , , ,

July 15th, 2013 by Admin
e-commerce PCI security

Cyber Crime InfoGraphic by Vericode.

Today anyone can have an e-commerce web site set up in mere minutes. There are a lot of open source e-commerce solutions that allow a web site owner to establish a site very easily, some require just a few clicks to get going. Once you have your color scheme chosen and your navigation all set a decision on how to accept payments is inevitable. e-commerce payment gateways allow your site to connect securely to a payment processor to accept your electronic transactions. These digital transactions can be used by hackers to target your site and your customers credit card information and much more. Whether the data targeted is stored on the merchants network or on the customers mobile device, business need to implement a cyber security strategy. Read more of this article »

Posted in Credit Card Security Tagged with: , , , , , , , , , , , , , , ,