Why do you, as a merchant, have to conduct PCI Training? Well, the answer is simple: Because it is required by the PCI DSS, requirement 12.6 to be exact:

Requirement courtesy of the PCI SSC: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Why is PCI training a requirement in the first place?

Training employees on safe payment card handling procedures and general security awareness helps to minimize the risk of an internal breach.  It is important for merchants to be proactive and take the proper steps to secure their business and meet PCI compliance requirements.  Providing employees with proper PCI training is a requirement that is often overlooked.  In actuality, it should be a top priority of merchants because employees are the first line of defense in preventing a data breach.  Be certain you provide your employees with the tools to properly protect your business.  (more…)

On May 31, 2012, the PCI Security Standards Council (PCI SSC) announced the PCI PIN Transaction Security (PTS) Hardware Security Module (HSM) Security Requirements version 2.0. The new version is intended to better secure cardholder data throughout card transactions.

HSM’s are specifically geared toward PIN Transaction Security (PTS) and therefore fall under the jurisdiction of the Council’s PTS program. Their goal is to protect sensitive information during transactions. This includes protecting cardholder data and cryptographic keys for both encryption of data and authentication.  Examples would be the encryption and decryption of PINs, payment card personalization to link the cardholder with purchases, security for data and e-commerce scenarios.

The requirements will impact production of HSM technologies going forward; however, it will not affect HSM technologies already in use. It also does not affect deployment mandates for any of the major payment card brands or their policies that apply to HSM’s.  (more…)

Let’s be honest, talking about the payment application as it relates to PCI compliance and your network security strategy isn’t a terribly exciting topic.  However, when you think about the fact that any business that stores, processes or transmits payment card information uses some form of a payment application, you start to realize how central to the discussion it is.  It is also easy to see why so many merchants focus their compliance efforts around the POS system and assume that by having a compliant payment application that makes them fully PCI compliant. The reality is that although the payment application plays a key role in protecting cardholder data, it is only one part of the larger compliance picture.

So, starting with the basics; the payment application itself is the software that encrypts the cardholder data and then transmits that information across the Internet.  There are different types of payment applications, but in most restaurant and retail environments you are often looking at one of two options: standalone terminals or Point-of-Sale systems with integrated card swipe.  In order to be PCI compliant, you must use a validated (i.e. approved or PA-DSS compliant) payment application.  The use of a PA-DSS compliant application by itself does not make a merchant PCI DSS compliant since that application must be implemented in a PCI compliant business environment.

Since Point-of-Sale (POS) terminals are typically built on a customized version of the Windows operating system there are always security concerns related to a POS environment. Here are a few best practices to keep in mind:  (more…)

Yet another restaurant franchise has fallen victim to a card breach.  Penn Station East Coast Subs issued a press release on June 1, 2012, confirming that 43 of its 235 United States locations have been breached.  The locations span across 9 states across the East Coast and Midwest.

According to BankInfoSecurity, the breach occurred in March and April of 2012 and was first suspected when a customer called a Penn Station restaurant to report there was fraudulent charges on his card after he dined at that location.  From there, the processor was contacted and the Secret Service became involved in the investigation.

The manner in which the customer credit and debit cards were stolen has not been identified yet.  It could be card skimming devises that have been illegally installed at the point-of-sale or by the locations’ cardholder networks being hacked into.  Penn Station is keeping their customers informed on their website as the situation progresses.  (more…)

A breach that occurred late in 2011 is just now coming to light through the legal action that a bank is taking against Five Guys Burgers and Fries.  Reports from Times Union say that the national burger chain had its customer debit card information stolen in November and December of 2011.  The breaches occurred at four Alabama Five Guys locations.  Trustco Bank is reporting that their customers had a total of $89,800 in fraudulent charges on their debit cards over 376 transactions.  Since the charges were made on debit cards, that money was taken directly out of the victimized cardholder’s bank accounts.

At a cost of more than $14,000, Trustco Bank had to cancel and reissue 1,701 of their customer’s MasterCard debit cards because of the breach.   Additionally, they had to refund their customers the full amount of the fraudulent charges that had been taken from their bank accounts. The bank is now suing the Five Guys franchise for just over $100,000, which is the cost of reissuing the cards and the cost of refunding all their customer’s accounts.

A spokeswoman for Five Guys said that Trustco Bank customers were not the only cardholders to have their information stolen.  “The store’s data was vulnerable for a limited period of time,” said the spokeswoman.  All customers who used their cards at the locations during that period have been exposed to the breach and have been notified.  The overall number of compromised credit/debit cards has not been released.  (more…)