The PCI SSC Releases New Mobile Payment Acceptance Security Guidelines for Developers and Device Manufacturers

The Payment Card Industry Security Standards Council (PCI SSC) released new guidelines during its recent Community Meeting in Orlando. The new Mobile Payment Acceptance Security guidelines apply to the payment applications identified in Mobile Payment Acceptance Application Category 3...

Read more...

 

Five Things to do Before Using Your Mobile Device to Accept Credit Card Payments

The taxi driver at the airport took your credit card using Square on an iPhone. The plumber that fixed your leaky pipes swiped your card on a PayPal device connected to an Android phone. And that posh restaurant where you impressed a client not only took your order on an iPad, but the server swiped your credit card on a PayFox device attached to the iPad. It seems as though everyone is taking advantage of mobile payment technology… Shouldn't you?
Read more...

 

Level 2 Merchants Beware:  Your PCI validation process could be changing

If your business processes between 1 million and 6 million credit card transactions annually and you accept MasterCard as a form of payment, your PCI validation process is probably about to change.

Read more...

 

The PCI SSC Releases its P2PE SAQ

In May the PCI Security Standards Council (SSC) published a fact sheet to offer guidance for merchants evaluating technology to accept payments using a smartphone or iPad/tablet.

Read more...

 

Attackers' Tools Work Day and Night: Who Can Sleep?

A security manager I was speaking with recently described some applicants for a Network Administrator position he was looking to fill. Most of them were well-qualified with backgrounds in IT and network management and had a long stream of credentials following their names.

Read more...

 

New Best Practice: Out with the Password, In with the Passphrase

The recent news of security breaches among major social networking sites reignites the ongoing dilemma of the password. As humans, we have the natural tendency to simplify its content and use.

Read more...

Making Headlines for the Wrong Reason… Don't let it Happen to You.

It even appeared on TMZ.com; one of the world's largest retailers had their website defaced so they were now selling a grill to cook babies. This was, of course, inappropriate and unacceptable for any retailer to host on their website, and most likely the reason major news outlets widely publicized the defacement.

Read more...

 

PCI Compliance & Small Merchants: Whose Concern Is It Anyway?

Small merchants who want to accept credit cards as part of doing business can find themselves lost in a sea of information when it comes to PCI compliance.  While it can be frustrating, the Payment Card Industry Data Security Standard (PCI DSS) has a worthwhile goal, and that is to ensure that credit card transactions are secure and consumers' sensitive data is protected.

Read more...

 

A Fresh New Start Means a Fresh New Look at your PCI Status

Happy New Year! It’s the time of year where many of us celebrate a fresh start and make new resolutions. Your resolution may have been one of the common ones: get to the gym more, stress less, actually use vacation days this year. Website hackers are no different.

Read more...

 

How ISOs & Acquirers Can Assess, Educate and Protect Their Merchants.

The days of simply sending a newsletter or statement stuffer to a merchant describing the PCI requirements may no longer be sufficient to protect the Acquiring community (Sponsor Banks, Processors and ISOs) from the card brand obligations, liability and the impact of state law violations. Approximately 46 states have strict Security Breach Notification Laws and 25 states have Disposal Laws. Some states, Nevada, Massachusetts and Wisconsin specifically mention the Payment Card Industry Data Security Standard (PCI DSS) and/or Information Security Policies.

Read more...

 

Security as a Checklist? Think Again.

The concept of summarizing Payment Card Industry (PCI) requirements into a simple checklist is a welcome one, especially for merchants without a dedicated security team and budget.

Read more...

 

Is PCI Compliance a Law? Should it be?

Is PCI compliance a law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade association to enact a federal law around data security and breach notification.
Read more...

 

Security vs. PCI Compliance

Reading accounts of highly publicized data breaches over the last few months occurring in companies that are seemingly PCI compliant, begs the question, "does PCI compliance equal security?" The answer is, "it depends." Unfortunately no business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses.

Read more...

 

Beyond PCI: Other Regulations to Look For in 2009

Just a few days ago, the Federal Reserve, the Office of Thrift Supervision and the National Credit Union Administration announced the enactment of comprehensive new rules regarding card practices.  These rules, which will not take effect until July 1, 2010, impose restrictions on a number of controversial issuer practices, including interest rate increases, late fees and double-cycle billing.

Read more...

SAQ Version 1.2 Brings Some Clarity for Level 4 Merchants

The PCI Council released the Payment Card Industry Data Security Standards (PCI DSS) 1.2 at the beginning of October, and a few days ago they released the corresponding changes to the Self Assessment Questionnaire. We’ve had a chance to examine the new versions of the SAQ and have some observations.

Read more...

 

What Constitutes a Payment Application?

Companies frequently ask us about what constitutes a payment application as it relates to PCI Compliance. The term payment application has a very broad meaning in PCI. So hopefully the content of this brief article will help clarify the subject and better define the term. 

Read more...

 

Understand your Legal Rights and Responsibilities Related to PCI Compliance

As with most aspects of the Internet, doing business via the Web has been a series of constant experiments and corrections. The use of electronic payments sparked a huge surge in the number and severity of identity theft cases across the world. Since the card issuers were the most visible agents for these activities, the burden to secure cardholder identities and other sensitive data was assigned to them.

Read more...

 

Five Common Myths Debunked

There is a vast need for better information about PCI compliance in the marketplace. It is a relatively new standard and there is a lack of good information available. In this article I will outline a few of the most commonly held myths that we hear day in and day out from merchants, acquirers and service providers – along with the hard truths.

Read more...

 

 

PCI DSS: An Acquirers Guide for PCI Compliance Best Practices

As deadline dates for PCI compliance looms for Level 1 and 2 merchants, the number of questions surrounding guidelines and methods of achieving that compliance keeps growing. Though the broad outline of compliance areas are clearly defined, not only on the credit card association side, but from acquirers as well, the intricate steps-within-steps of the outlined areas are proving to be bothersome for some.

Read more...

 

5 Steps to Manage a Data Breach?

Industry-specific guidelines and compliance measures, such as the Payment Card Industry's Data Security Standards (PCI DSS), are continuing to emphasize the enforcement of measures to close any and all security loopholes in a company's infrastructure

Read more...

 

5 Steps to Manage a Data Breach? Part II

Though a smaller data breach-affecting only 250 private records-than its predecessors at TJX and ChoicePoint, the musical instrument company Bananas.com (Bananas at Large) was the victim of a hacker, who, according to published reports stole an administrative password by accessing Bananas.com systems as a remote user.

Read more...