Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It’s time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines?
Read the article – [CSO Online]
The PCI Security Standards Council is studying a number of emerging technologies and plans to issue a guidance document on end-to-end encryption when it releases the next version of the PCI Data Security Standards (PCI DSS), due out in October. Bob Russo, general manager of the PCI Council, said researchers are preparing documentation on what he calls the latest industry “big buzz word.” Other technologies being studied include the use of tokenization and chip and PIN technologies to protect credit card data and how virtualization affects data protection technologies. In this interview, conducted at the recent 2010 RSA Security Conference, Russo explains whether the next version of PCI DSS will have any major changes and why the Council takes a cautious approach to adding changes to the standard.
Here is the article from SearchSecurity or if you would rather watch the video here is the link.
I’d like to share some key deadlines with you so that you are aware of what is going on with PCI this year. This information came from an article for Bank Technology news that I read from Bruce Rutherford, chairman of the PCI Security Standards Council.
November 2009 – April 2010: PCI DSS and PA-DSS feedback review process.
March: Council shares summary of feedback with market.
Late April: New PIN transaction security (PTS) standard released (formerly PIN Entry Device (PED) Standard).
Spring: Council shares framework on emerging technologies, and the first piece of guidance.
Early summer: Summary of proposed changes to the DSS provided to participating organizations and market.
May-September: New version/revision and final review.
September 21-23: 2010 US community meeting in Orlando.
October 18-20: 2010 European community meeting in Barcelona.
October 2010: Next iteration of both PCI DSS and PA-DSS released to public.
This year’s events follow the defined 24-month lifecycle of the PCI standards. The lifecycle ensures a gradual, phased use of new versions of the standard without invalidating current implementations of the standards or putting any organization out of compliance the moment changes are published.
Anton Chuvakin aka “Security Warrior” was able to sit down with Bob Russo & Troy Leach at RSA 2010 for an exclusive interview where he asked a number of questions.
Here is Anton’s introduction:
I think PCI DSS is the most valuable thing to hit security industry since its inception – both as a driving force for security improvements and as a source for security guidance. However, there are skeptics among merchants (too much security) and some security professionals (too little security). Some of my questions below focus on dispelling the misconceptions such skeptics might hold.
Check out the rest of his interview here.
So it appears that last week the PCI Security Standards Council changed it’s policy on audio recordings. Audio recordings with credit card data should now be treated the same as if it were written down. Now merchants will need to properly secure and store audio files in addition to deleting any portion of the audio file that contains prohibited credit card data.
Evan Schuman at StorefrontBacktalk has a nice write up with some additional context.
Today, the PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS) Security Requirements and the Payment Application Data Security Standard (PA-DSS), announced that Bruce Rutherford, group head, fraud management solutions, payment system integrity, MasterCard, has been appointed as the new chairperson of the PCI Security Standards Council.
Read the entire Press Release – [PCI SSC]
CSO Senior Editor Bill Brenner teams up with Martin McKeay of the Network Security Podcast and a colorful cast of characters for a debate on whether PCI security is an industry savior or failure.
This is the first of two parts.
Listen to Part 1 – [CSO]
Listen to Part 2 – [Network Security Podcast]