Recently, it was revealed that the Payment Card Industry Security Standards Council revoked the QSA qualification of one particular organization.  This is a fairly significant event in the evolution of the PCI SSC’s QA program.

Having been a QSA for 4+ years, we often ran into scenarios where we would review the previous year’s Report on Compliance.  In reviewing those, it was amazing at how ambiguous those reports could be.  The reports literally looked as though they put a network diagram in, did a find and replace for the company name, and then issued the report.  Besides having a report that was virtually worthless to the customer, this didn’t provide an even playing field for all the QSAs out there.  Report writing takes a significant amount of time.  I am not implying that the other QSAs were not doing the work, they just were not documenting it properly.  I raised my concerns to the PCI SSC on how inconsistent some of the reports were and was told changes were coming. (more…)

Many restaurants still use the old point of sale systems, usually because of a busy schedule or cost restraints. However, these old machines often store a lot of data that is not supposed to be held in the machines. Also, these old systems are missing essential security updates. But most restaurant owners are unaware of this fact, and they continue to use these systems as they are comfortable with it. This is a very dangerous proposition since criminals are getting smarter nowadays, and with old machines they can wreak havoc in a very short amount of time. This calls for the need to update the machines in your restaurant.           

There are various options you have while updating your machines used for processing credit card transactions. Always remember to choose machines which are up date with the latest standards in terms of security, and which will be able to update themselves in regular intervals. Getting such machines will help keep your customers’ data safe at all times. This will involve a call to your POS vendor. If you are concerned or confused with this process call your PCI compliance vendor, as they can help point you in the right direction.

Cyber-attacks are becoming more frequent and severe with the vast majority of businesses suffering as least one data breach in the past year, according to a new Ponemon Institute survey.

Businesses of all sizes are being hit by cyber-attacks, as 90 percent of surveyed businesses reported at least one IT security breach in the past 12 months, the Ponemon Institute found in its latest report. More than half of those respondents, or 90 percent, claimed two or more breaches over the same period. Nine percent reported five or more network intrusions in the past year.

It seems that businesses are missing the point. Instead of implementing general security practices, it is important to protect data by checking the flow of that data and its path throughout an organization.

In the study, about 59 percent of respondents said the theft of information assets was the most serious consequence of a security breach, followed by business disruption. Nearly 41 percent of the companies surveyed said overall the security breaches had cost them at least half a million dollars to address, when costs such as cash outlays, business disruption, revenue losses, internal labor and overhead were taken into account. Another 16 percent were unable to calculate their losses.

Read more from the report here.

The report included 583 IT security professionals from the United States, United Kingdom, France and Germany. A little more than half of these professions worked for companies with more than 5,000 employees.

PCI compliance means making sure that your data security is in line with the minimal recommended requirements of the payment card industry standards. What this means is that you are looking after the personal and financial information of customers and clients who hand over their payment details and keeping it safe from potential hackers and others who might break into your system.

In order to accept a payment card it is necessary for you to meet this PCI compliance and if you do not then you will only be able to accept cash – drastically decreasing the number of impulse buys you get and making your company seem relatively dated.

 There are many PCI requirements that factor into PCI compliance and if you want to use the cards then you need to meet these. One of these factors is to make sure that you have adequate protection for any stored data and this will affect a great number of businesses.

First of all let’s look at why you might want to store data in the first place. Essentially by stored data is meant any information that you keep on a database regarding clients, customers or other businesses. This information might be a list of names and addresses only, or it might be something more thorough such as financial information.

The reason you might store financial information is that you can use it for direct debits and for ‘profiles’ on a website. Many companies will allow a customer to log in and create a profile that contains their financial data so that they can very easily make purchases at the touch of a button. This allows every part of a website to become a point of sale, but it means that all that information has to be stored on the server. On the other hand any business that provides a customer with a loan, a payment scheme, a subscription or a monthly contract is going to want to take money out of their account automatically on an agreed day – and that means storing data.

Alternatively if you provide a company or an individual with a service, then these ex-clients become leads – i.e. parties that you know are interested in your service and that might be more likely to buy in future. By logging these you can then smartly advertise to them all with future products and services. Even though you are only storing addresses in this situation it is very important that you keep these safe as otherwise your customers could get spammed or suffer from identity theft and you would then lose their faith in your company. So valuable is this kind of information that some companies even sell it for a large profit – so make sure you protect it.

There are many ways to protect stored data for data security and they include making sure that any physical data that is printed out is locked away somewhere safe (and that you don’t throw it out with the rest of the trash) while online data needs to be protected by the latest internet security services.

Citigroup, Inc. has recently been added to the growing number of companies that have been breached within the past couple of months. The financial institution reported that about 200,000 Citibank credit cards were compromised as hackers broke into the company’s online account site. 

However, the New York bank failed to notify its customers in a timely manner as it took them almost 3 weeks to inform its credit card customers of their breached accounts. According to the Wall Street Journal, Citigroup delayed alerting customers because it was conducting an investigation. A spokesperson for the company declined to comment.

According to a press release on the company’s website, the 200,000 affected accounts roughly accounted for only one percent of the 21 million North America Citi-brand credit cards. Although hackers gained access to some information, such as account numbers, names and email addresses, other data such as social security numbers, date of birth, card expiration dates and card security codes (CVV) were not compromised.

While the company has stated that it has implemented enhanced procedures to prevent any breaches in the future, it refuses to disclose any more details surrounding the incident for the security of its customers.