Click here for a free PCI scan from ControlScan

Featured Article

Written by:
Joan Herbig

A Fresh New Start Means a Fresh New Look at your PCI Status

Happy New Year! It’s the time of year where many of us celebrate a fresh start and make new resolutions. Your resolution may have been one of the common ones: get to the gym more, stress less, actually use vacation days this year. Website hackers are no different. They make their own resolutions, albeit slightly different ones: attack more, reduce the time it takes to breach a database, take advantage of new attack vectors, and generally, cause more mayhem. Now that you have settled in after your first week back after the New Year, I’d like to suggest a new resolution to add to your others: take a few hours to review your PCI compliance status. Things change so quickly in the security spectrum, what was secure two weeks ago may be vulnerable today. Your business changes as well. You may accept more credit card payments. Internal groups may have grown or reorganized. You may have been fortunate enough to get a budget to buy another server or firewall.

Here are some ideas to get you started with your own PCI New Year’s resolution. Read more...

Recent Articles

How ISOs & Acquirers Can Assess, Educate and Protect Their Merchants.

The days of simply sending a newsletter or statement stuffer to a merchant describing the PCI requirements may no longer be sufficient to protect the Acquiring community (Sponsor Banks, Processors and ISOs) from the card brand obligations, liability and the impact of state law violations. Approximately 46 states have strict Security Breach Notification Laws and 25 states have Disposal Laws. Some states, Nevada, Massachusetts and Wisconsin specifically mention the Payment Card Industry Data Security Standard (PCI DSS) and/or Information Security Policies.

Security as a Checklist? Think Again.

The concept of summarizing Payment Card Industry (PCI) requirements into a simple checklist is a welcome one, especially for merchants without a dedicated security team and budget.

Is PCI Compliance a Law? Should it be?

Is PCI compliance a law? The short answer is no. The long answer is that while it is not currently a federal law, there are state laws that are already in effect (and some that may go into effect) to force components of the PCI Data Security Standard (PCI DSS) into law. In addition, there is a big push by legislatures and industry trade association to enact a federal law around data security and breach notification.
Read more...

Security vs. PCI Compliance

Reading accounts of highly publicized data breaches over the last few months occurring in companies that are seemingly PCI compliant, begs the question, “does PCI compliance equal security?” The answer is, “it depends.” Unfortunately no business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses.

Beyond PCI: Other Regulations to Look For in 2009

Just a few days ago, the Federal Reserve, the Office of Thrift Supervision and the National Credit Union Administration announced the enactment of comprehensive new rules regarding card practices. These rules, which will not take effect until July 1, 2010, impose restrictions on a number of controversial issuer practices, including interest rate increases, late fees and double-cycle billing.

View Archive

SAQ Version 1.2 Brings Some Clarity for Level 4 Merchants

The PCI Council released the Payment Card Industry Data Security Standards (PCI DSS) 1.2 at the beginning of October, and a few days ago they released the corresponding changes to the Self Assessment Questionnaire. We’ve had a chance to examine the new versions of the SAQ and have some observations.

What Constitutes a Payment Application?

Companies frequently ask us about what constitutes a payment application as it relates to PCI Compliance. The term payment application has a very broad meaning in PCI. So hopefully the content of this brief article will help clarify the subject and better define the term.

Understand your Legal Rights and Responsibilities Related to PCI Compliance

As with most aspects of the Internet, doing business via the Web has been a series of constant experiments and corrections. The use of electronic payments sparked a huge surge in the number and severity of identity theft cases across the world. Since the card issuers were the most visible agents for these activities, the burden to secure cardholder identities and other sensitive data was assigned to them.

Five Common Myths Debunked

There is a vast need for better information about PCI compliance in the marketplace. It is a relatively new standard and there is a lack of good information available. In this article I will outline a few of the most commonly held myths that we hear day in and day out from merchants, acquirers and service providers – along with the hard truths.

PCI DSS: An Acquirers Guide for PCI Compliance Best Practices

As deadline dates for PCI compliance looms for Level 1 and 2 merchants, the number of questions surrounding guidelines and methods of achieving that compliance keeps growing. Though the broad outline of compliance areas are clearly defined, not only on the credit card association side, but from acquirers as well, the intricate steps-within-steps of the outlined areas are proving to be bothersome for some.

5 Steps to Manage a Data Breach?

Industry-specific guidelines and compliance measures, such as the Payment Card Industry's Data Security Standards (PCI DSS), are continuing to emphasize the enforcement of measures to close any and all security loopholes in a company's infrastructure

5 Steps to Manage a Data Breach? Part II

Though a smaller data breach-affecting only 250 private records-than its predecessors at TJX and ChoicePoint, the musical instrument company Bananas.com (Bananas at Large) was the victim of a hacker, who, according to published reports stole an administrative password by accessing Bananas.com systems as a remote user.

Quick Links