If you are like many CIOs, a lot of your security budget is driven by compliance requirements, including PCI DSS. Although many merchants feel they are secure once they achieve PCI compliance, that is not necessarily true.
Read the rest of Walt Conway’s article – [StoreFrontBacktalk]
Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It’s time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines?
Read the article – [CSO Online]
The PCI Security Standards Council is studying a number of emerging technologies and plans to issue a guidance document on end-to-end encryption when it releases the next version of the PCI Data Security Standards (PCI DSS), due out in October. Bob Russo, general manager of the PCI Council, said researchers are preparing documentation on what he calls the latest industry “big buzz word.” Other technologies being studied include the use of tokenization and chip and PIN technologies to protect credit card data and how virtualization affects data protection technologies. In this interview, conducted at the recent 2010 RSA Security Conference, Russo explains whether the next version of PCI DSS will have any major changes and why the Council takes a cautious approach to adding changes to the standard.
Here is the article from SearchSecurity or if you would rather watch the video here is the link.
PCI DSS Map
Washington has enacted a statute to provide financial institutions with a cause of action against certain entities involved in payment card transactions that fail to take reasonable care to guard against unauthorized access to account information where that failure is found to be the proximate cause of the breach. The law goes into effect on July 1, 2010. The new Washington law is similar to an existing statute in Minnesota and shows that Payment Card Industry Data Security Standards (“PCI DSS”) compliance continues to be codified on a state by state basis.
Read the article here – [Kelley Drye & Warren LLP]
I’d like to share some key deadlines with you so that you are aware of what is going on with PCI this year. This information came from an article for Bank Technology news that I read from Bruce Rutherford, chairman of the PCI Security Standards Council.
November 2009 – April 2010: PCI DSS and PA-DSS feedback review process.
March: Council shares summary of feedback with market.
Late April: New PIN transaction security (PTS) standard released (formerly PIN Entry Device (PED) Standard).
Spring: Council shares framework on emerging technologies, and the first piece of guidance.
Early summer: Summary of proposed changes to the DSS provided to participating organizations and market.
May-September: New version/revision and final review.
September 21-23: 2010 US community meeting in Orlando.
October 18-20: 2010 European community meeting in Barcelona.
October 2010: Next iteration of both PCI DSS and PA-DSS released to public.
This year’s events follow the defined 24-month lifecycle of the PCI standards. The lifecycle ensures a gradual, phased use of new versions of the standard without invalidating current implementations of the standards or putting any organization out of compliance the moment changes are published.
Anton Chuvakin aka “Security Warrior” was able to sit down with Bob Russo & Troy Leach at RSA 2010 for an exclusive interview where he asked a number of questions.
Here is Anton’s introduction:
I think PCI DSS is the most valuable thing to hit security industry since its inception – both as a driving force for security improvements and as a source for security guidance. However, there are skeptics among merchants (too much security) and some security professionals (too little security). Some of my questions below focus on dispelling the misconceptions such skeptics might hold.
Check out the rest of his interview here.
So it appears that last week the PCI Security Standards Council changed it’s policy on audio recordings. Audio recordings with credit card data should now be treated the same as if it were written down. Now merchants will need to properly secure and store audio files in addition to deleting any portion of the audio file that contains prohibited credit card data.
Evan Schuman at StorefrontBacktalk has a nice write up with some additional context.