There has been some reaction to this piece of PR.
While the idea of compliance in a box is nice, it seems risky to promise it in such a way. However, if you actually read the statement it does specifically say "...new program will help companies worldwide implement encryption..."
Given PCI compliance involves everything from the writing of policy documents through to how specific data needs to be secured and audited, this statement merely confirms that PCI Compliance can take a while and resources to deploy.
Encryption is one of the many things that needs to be done, so with that date looming, things need to happen fast and every little bit helps.
Saturday 4 August 2007
Friday 3 August 2007
And the results are....
Interesting article relating to the PCI Deadline and progress amongst retailers in US.
Even more interesting is this which outlines some of the aggravating aspects of PCI and how retailers are still having problems understanding what they are supposed to be doing.
Seems like there is still a lot to do in the whole area of PCI and compliance.
Even more interesting is this which outlines some of the aggravating aspects of PCI and how retailers are still having problems understanding what they are supposed to be doing.
Seems like there is still a lot to do in the whole area of PCI and compliance.
PCI Assessors could be having a negative impact ?
Interesting article that highlights customer concerns about the PCI DSS and how QSAs aren't actually helping things !
The question of Conflict of interest for QSAs who resell product or market services is also a cause for concern.
Would you be skeptical if the person providing you with advice also then tried to sell you product or services?
The question of Conflict of interest for QSAs who resell product or market services is also a cause for concern.
Would you be skeptical if the person providing you with advice also then tried to sell you product or services?
Friday 29 June 2007
DPA and its lack of teeth
Interesting article on Mondaq regarding Price of security when it comes to Data Privacy Act, focusing on the recent Nationwide incident involving the potential for data exposed on a lost laptop.
Requires registration
Requires registration
Tuesday 26 June 2007
When is a deadline not a deadline?
When it is a PCI Deadline?
Back in April some retailers seemed intent on meeting a deadline for PCI compliance of 30th June 2007. Much was made about the efforts to achieve this and smaller retailers and PSPs followed suit.
Fast Forward virtually two months and the same two retailers are now reigning in their efforts to fast track their PCI efforts because of an easing back on enforcement.
This slowdown could certainly be attributed to an article that appeared on the front page of Computer Weekly in UK.
Card firms ease back on security demands
Credit card issuers have backtracked on demands that retailers and online merchants meet tough new standards to safeguard customer credit card data by the end of June.
Visa admitted this week that deadlines for retailers to comply with the Payment Card Industry Data Security Standard (PCI DSS), which requires firms to adopt a package of security measures, were "unrealistic".
The move follows growing evidence that many retailers are struggling to implement the standards and are unlikely to have their systems fully secured for another one or two years.
Card companies are now limiting their demands to an immediate requirement that retailers put risk mitigation strategies in place to protect their most sensitive data, rather than insisting that all of the standard's criteria are met. Retailers must also be able to prove that they are working towards full compliance.
"Visa and MasterCard agree that risk mitigation is of prime importance and we expect this to be done immediately," said Stanley Skogland, head of policy compliance at Visa Europe. "It does not mean that we do not expect all parts of the standard to be achieved, but we cannot expect miracles overnight."
The PCI DSS was developed in January 2005 by Visa and MasterCard to compel businesses that process payment card data to meet 12 security standards.
But retailers only began to get to grips with the standard last year, following a series of high-profile leaks of confidential credit card data, including the loss of 45 million credit card details from US retailer TJX.
Paul Smith, director of payment systems at the British Retail Consortium, said the deadline was the second to pass without retailers achieving full compliance. He blamed poor communication for the delays.
"Communication was not good in the early days of this programme. Retailers need to know when and how these things need to happen," he said.
Smith added that about 20% of the requirements were still being discussed because "it is not clear what is actually required".
Simon Langley, head of PCI DSS at KPMG, said the reduced focus on the full 12 requirements was sensible given the mixed messages. "Visa and MasterCard agreed on the standard, but compliance has not been standardised," he said.
This could potentially mean a slow down in PCI compliance, at least with the big boys.
Back in April some retailers seemed intent on meeting a deadline for PCI compliance of 30th June 2007. Much was made about the efforts to achieve this and smaller retailers and PSPs followed suit.
Fast Forward virtually two months and the same two retailers are now reigning in their efforts to fast track their PCI efforts because of an easing back on enforcement.
This slowdown could certainly be attributed to an article that appeared on the front page of Computer Weekly in UK.
Card firms ease back on security demands
Credit card issuers have backtracked on demands that retailers and online merchants meet tough new standards to safeguard customer credit card data by the end of June.
Visa admitted this week that deadlines for retailers to comply with the Payment Card Industry Data Security Standard (PCI DSS), which requires firms to adopt a package of security measures, were "unrealistic".
The move follows growing evidence that many retailers are struggling to implement the standards and are unlikely to have their systems fully secured for another one or two years.
Card companies are now limiting their demands to an immediate requirement that retailers put risk mitigation strategies in place to protect their most sensitive data, rather than insisting that all of the standard's criteria are met. Retailers must also be able to prove that they are working towards full compliance.
"Visa and MasterCard agree that risk mitigation is of prime importance and we expect this to be done immediately," said Stanley Skogland, head of policy compliance at Visa Europe. "It does not mean that we do not expect all parts of the standard to be achieved, but we cannot expect miracles overnight."
The PCI DSS was developed in January 2005 by Visa and MasterCard to compel businesses that process payment card data to meet 12 security standards.
But retailers only began to get to grips with the standard last year, following a series of high-profile leaks of confidential credit card data, including the loss of 45 million credit card details from US retailer TJX.
Paul Smith, director of payment systems at the British Retail Consortium, said the deadline was the second to pass without retailers achieving full compliance. He blamed poor communication for the delays.
"Communication was not good in the early days of this programme. Retailers need to know when and how these things need to happen," he said.
Smith added that about 20% of the requirements were still being discussed because "it is not clear what is actually required".
Simon Langley, head of PCI DSS at KPMG, said the reduced focus on the full 12 requirements was sensible given the mixed messages. "Visa and MasterCard agreed on the standard, but compliance has not been standardised," he said.
This could potentially mean a slow down in PCI compliance, at least with the big boys.
Friday 25 May 2007
PCI SSC Announces board advisors
Some big names elected onto the PCI SSC council (14 in all).
Their primary role being to serve on the board and provide strategic and technical guidance to the PCI Security Standards Council.
Microsoft and Verifone being the only technology companies the rest are retailers or PSPs with a vested interest in PCI.
I wonder if the PCI SSC will behave like a mini UN with lots of differing groups with their own agenda, generating ideas and statements about what should be done but too much in-fighting and Special Interests to actually get a majority vote to get motions passed through.
With a member like APACS involved (UK Payments association) their should be no excuses in the future from UK organizations to not being PCI compliant, as there were around 18 months ago when PCI DSS conflicted with what APACS required from retailers/PSPs.
It will be interesting to see any minutes from the initial meetings for any future PCI DSS changes, just to see who is in favor of PCI and who isn't.
Their primary role being to serve on the board and provide strategic and technical guidance to the PCI Security Standards Council.
Microsoft and Verifone being the only technology companies the rest are retailers or PSPs with a vested interest in PCI.
I wonder if the PCI SSC will behave like a mini UN with lots of differing groups with their own agenda, generating ideas and statements about what should be done but too much in-fighting and Special Interests to actually get a majority vote to get motions passed through.
With a member like APACS involved (UK Payments association) their should be no excuses in the future from UK organizations to not being PCI compliant, as there were around 18 months ago when PCI DSS conflicted with what APACS required from retailers/PSPs.
It will be interesting to see any minutes from the initial meetings for any future PCI DSS changes, just to see who is in favor of PCI and who isn't.
Thursday 24 May 2007
APAC market gains PCI momentum
A PCI Blog reports on the increase in interest levels within APAC region.
PCI Answers is a great source of PCI news and contributors very active in PCI space.
PCI Answers is a great source of PCI news and contributors very active in PCI space.
PCI pays off
Another Dark Reading article featuring a Bryan Sartin of Cybertrust, discussing how PCI can pay off in the short to long term. He states that "..No organization that has been completely compliant with PCI has been compromised."
Wednesday 23 May 2007
PCI Costs, but not as much as a breach
Interesting article on Dark Reading. While it is generally accepted that breaches aren't great financially, staying ahead of PCI compliance could be beneficial in the long term, both financially and with respect to security of your organization.
Sunday 20 May 2007
Too little too late perhaps??
While this is not necessarily a news item, only a press release for 7Safe's PCI DSS training service, it does highlight the last minute nature of PCI Compliance most companies have taken as their approach to tackling this requirement.
If true, PCI vendors should expect some increased levels of interest as 30th June 2007 approaches.
If true, PCI vendors should expect some increased levels of interest as 30th June 2007 approaches.
Tuesday 15 May 2007
PCI: This is how we do things in Texas
Texas is mulling over a bill that would make PCI DSS a state law.
It is viewed that the bill would spur broader adoption of PCI security controls and is supported by a number of Texas Credit Unions, who want to push liability onto the merchants.
Texas isn't the first to push this kind of bill through, Massachusetts also proposed something back in Feb 2007
It is viewed that the bill would spur broader adoption of PCI security controls and is supported by a number of Texas Credit Unions, who want to push liability onto the merchants.
Texas isn't the first to push this kind of bill through, Massachusetts also proposed something back in Feb 2007
Monday 14 May 2007
Security Breaches are good for you....
Interesting blog post about how breaches or bad news actually increases the company's profits.
Will this mean that companies will be queuing up to disclose their security breaches or health scares (in cases of your local eatery)!?
Is this reverse psychology gone mad?
Will this mean that companies will be queuing up to disclose their security breaches or health scares (in cases of your local eatery)!?
Is this reverse psychology gone mad?
Sunday 13 May 2007
PCI News for PCI News sake
I am starting to feel that article writers are publishing PCI pieces just for the sake of filling out their quota.
This article outlines what PCI Self Assessment Questionnaire is and the need to complete it with the writer offering his own firm's services to do it I guess.
In this article the writer seems to be going for the "point out the obvious" award for the week. The title of the piece being "PCI Standard Drives Some CISO's Work This Year". I guess the "some CISO's" part of the title refers to the companies who are actually undertaking a PCI project this Year! His next article will be along the lines of "Smoking is bad for your health".
This article outlines what PCI Self Assessment Questionnaire is and the need to complete it with the writer offering his own firm's services to do it I guess.
In this article the writer seems to be going for the "point out the obvious" award for the week. The title of the piece being "PCI Standard Drives Some CISO's Work This Year". I guess the "some CISO's" part of the title refers to the companies who are actually undertaking a PCI project this Year! His next article will be along the lines of "Smoking is bad for your health".
Saturday 12 May 2007
PCI is just too hard..why FD CISO may not be 100% correct
This article over on SearchSecurity.com gauges the reaction to comments from First Data CISO Phil Mellinger, that PCI DSS compliance should essentially be made easier to attain, in order to get more merchants compliant.
It would be nice if a lot of things that were hard or essential, were made easier to achieve. Life would be so much better.
It would be nice if a lot of things that were hard or essential, were made easier to achieve. Life would be so much better.
Time to board the PCI Ship
Yet another TJX related item on the web, highlighting the need to get with the program.
If you received a gift card of a high value from a shady character they could have been involved in the TJX breach. Read on to find out how Credit Card fraud of the TJX scale helps the gift card business boom.
If you received a gift card of a high value from a shady character they could have been involved in the TJX breach. Read on to find out how Credit Card fraud of the TJX scale helps the gift card business boom.
Saturday 5 May 2007
Sun is just giving it away...
Sun recently announced they would give away their Encryption Key Software. Read on a little further before you rush to take up this free offer, as it is only the the APIs they are preparing to share, "...which are how the KMS talks to an encryption device."
So everything else is gonna cost ya. Could this be a cunning way to promote the sale of more Sun hardware?
The KMS standard is still very much work in progress and this could turn into another classic betamax and vhs or even the more current HD-DVD vs Bluray battle.
So everything else is gonna cost ya. Could this be a cunning way to promote the sale of more Sun hardware?
The KMS standard is still very much work in progress and this could turn into another classic betamax and vhs or even the more current HD-DVD vs Bluray battle.
Thursday 3 May 2007
How much does a data breach cost.
Estimates Put TJX Fiasco at $4.5 Billion. And thats the optimistic number.
The Ponemon Institute, a think tank focused on record privacy and data protection, expects the TJX breach costs to be even higher. They cite costs in the range of $182.00 per record, based on research from November 2006 of the cost of breaches incurred in 31 separate incidents. For TJX, this translates to $8.6 billion.
The Ponemon Institute, a think tank focused on record privacy and data protection, expects the TJX breach costs to be even higher. They cite costs in the range of $182.00 per record, based on research from November 2006 of the cost of breaches incurred in 31 separate incidents. For TJX, this translates to $8.6 billion.
The TJX data security breach: 10-K filing shows IAM and compliance mistakes
This article goes into some detail on how TJX didn't quite come up to scratch with compliance, and questions their internal security controls .
It again raises the question of how did the secret keys get compromised if data at rest was being encrypted, with the compromise going back to 2005 but not being discovered until December 2006.
It again raises the question of how did the secret keys get compromised if data at rest was being encrypted, with the compromise going back to 2005 but not being discovered until December 2006.
Tuesday 1 May 2007
Fraud in the Airline industry and plugging the gap
Very interesting article discussing the effect of fraud in the Airline industry based on responses to a survey of UK airlines. PCI features as the number 1 security requirement to meet. You'll need to register to the site.
Monday 30 April 2007
New England bankers sue TJX for breach
Three state-wide bankers associations -- Massachusetts', Maine's and Connecticut's -- announced on Tuesday that they had filed a class action lawsuit against retail giant TJX Companies for damages caused by a series of computer breaches that exposed 45.6 million credit-card accounts.
"If we are successful against TJX, the nation's major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required," Daniel Forte, president and CEO of the Massachusetts Bankers Association, said in a statement.
"If we are successful against TJX, the nation's major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required," Daniel Forte, president and CEO of the Massachusetts Bankers Association, said in a statement.
RSA moving away from single sign-on
RSA moving away from Single sign-on
"The US-based vendor earlier this week announced plans to offload maintenance licensing and support for its enterprise single sign-on product to PassLogix, a New York-based authentication and identity/access management vendor."
"The US-based vendor earlier this week announced plans to offload maintenance licensing and support for its enterprise single sign-on product to PassLogix, a New York-based authentication and identity/access management vendor."
Infosecurity: Security breaches biggest worry, says stud
This survey shows that 39 per cent of the IT professionals questioned, are currently acting on the need for PCI compliance and half believe compliance ...
74 Percent of Security Executives Concerned about brand reputation
LONDON --(Business Wire)-- Qualys, Inc., the leading provider of on demand security risk and compliance management solutions, today announced that 74 percent of European senior security executives see the impact of payment card loss on brand reputation as their biggest concern.
Subscribe to:
Posts (Atom)