SecureConnect Logo
Phone: 888-949-7328 | mySecureConnect Login
 
pci-compliance.jpg
Home| Blog > Archive by tag 'PCI and QSR'

PCI in a box

by Blake Huebner @ . September 1, 2010 . 4:30PM

Step 1 – Cut a hole in the box….

As a recent former PCI QSA (Qualified Security Assessor), it really frustrates me how many products out there that claim they will make you PCI compliant.
Directly in our market space, we have organizations claiming 90%+ compliance out of the box or compliant in xx days. Honestly, this is such a marketing gimmick. But customers fall for it.

Let’s take a look at both of these scenarios:

1. 90%+ compliance out of the box.
Let’s assume there is a PA-DSS application in place and no web facing applications. The customer is a SAQ D, which is pretty typical. Requirement 9 is primarily concerned with physical security. With 26 questions in Requirement 9, and 222 questions in a SAQ D; one is already at 88% for the starting point. So you are indicating, as a remote service provider, you able to classify and shred data and distribute and surrender badges, all without a physical presence? Really? We haven’t even addressed requirement 12 yet. Unfortunately, those that are not in the know believe this propaganda.

2. Compliant in xx days
A service provider cannot guarantee compliance in xx days. First, there are too many variables to implementation, mainly the customer itself. If a customer drags their feet on initiatives beyond a service provider’s control, there is no way to meet the timeline. In addition, compliance for PCI is not a point in time; PCI must be “operationalized”. The SAQ and ASV scans are point in time validation points, but a merchant must maintain this throughout the year.

This type of marketing makes our industry look bad as a whole. As a merchant, you are not becoming more secure with the claims that some service providers are making. While they may offer a decent solution, do not have the expectation that these service providers are the silver bullet. Service providers can assist in compliance but it is the merchant that is responsible for their own compliance. Don’t choose a solution just so you can check a box once a year. As a merchant, be concerned with having a secure environment and compliance will follow. In the long run, your organization will be better off.

Now back to my to SNL short viewing.

Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SAQ | Tags: , , , , , , , , , , , , , ,

Spot Critical Holes in your Infrastructure with a Vulnerability Assessment

by Kristyan Mjolsnes @ http://www.secureconnect.com . August 10, 2010 . 5:10PM

Contrary to popular belief, it really isn’t enough to become secure. If you are serious about maintaining your business for the long run, you will have to maintain security — something that is completely different. Maintaining security can get complicated in a world where new security threats are on the horizon all the time, but it’s something that can get easier if you have the right tools.

If you’re serious about securing the important assets of your business, you will need to first start by using a vulnerability assessment to spot critical holes in your infrastructure. From there, you will be able to see exactly what is insecure at the moment, and then fix those problems.

Naturally, you can also take a different approach with a vulnerability assessment by contracting an outside company to not just run the vulnerability assessment for you, but also to generate an action plan based on the report generated from the assessment. This is a great way to delegate your security tasks without worrying about having an insecure system.

No matter what path you ultimately choose, you will need to get started today by getting the vulnerability assessment and seeing if there are any critical holes in your infrastructure. Contact us today!

Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SSC, Payment Processing | Tags: , , , , , , , , , , , , , , , , , , ,

PCI Compliance for the QSR Industry

by Kristyan Mjolsnes @ http://www.secureconnect.com . August 2, 2010 . 12:05PM

Without solid compliance, the systems that a QSR-oriented business relies on to process payments and other tasks for customers could be at risk for a security breach. If a breach were to occur and it was found that the proper QSR PCI compliance principles weren’t being practiced, stiff fines and other consequences could result.

At this point, the goal is to effectively implement PCI compliance solutions for the unique network environment in your store. Security isn’t something that should be complicated, especially if you have many employees that will need to be educated and trained on proper security procedures.

The key is to practice smart delegating measures. If security is not your strong suit, it may be best to bring in a company that specializes specifically in helping companies manage their QSR PCI compliance needs in a way that just makes sense. The best way to move forward is to make sure that you get started right away — don’t delay! Contact SecureConnect today!

Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SSC, Payment Processing | Tags: , , , , , , , , , , , , , , , , , ,

SecureConnect Revitalizes its Brand Identity and Launches New Website

by Kristyan Mjolsnes @ http://www.secureconnect.com . July 30, 2010 . 10:22AM

Unveiling a new logo and completely redesigned website earlier this week, SecureConnect has revitalized its brand to reflect differentiation and leadership in the industry.  Specializing in PCI compliance and security solutions, the company has more strongly positioned itself through strategic rebranding that includes renewed design and delivery of communication. Focusing on security as the fundamental source of proper compliance, SecureConnect revisited its tagline, determining that “Security. Compliance. Control.” more strongly communicates its approach to network security and PCI compliance.  With a solution unmatched in the industry, the rebranding effort reinforces the commitment SecureConnect delivers to its customers.

In tandem with its logo redesign, the company examined its online presence and how it could be improved. Launching a more user-friendly website, SecureConnect hopes information will be more easily accessible to customers.  The wealth of educational information and valuable resources available through SecureConnect.com is intended to benefit business owners, acquiring bank partners and integration vendors.

As the SecureConnect brand continues to evolve its solution with the ever changing PCI standards, the rebranding effort attempts to keep its image in line with these changes.

Contact us to learn more!

Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SSC | Tags: , , , , , , , , , , , , , , , , , , ,

Passwords and Pepperoni

by Blake Huebner @ . July 29, 2010 . 12:10PM

Hell Pizza, a New Zealand based pizza chain, recently sent out an email to its 230,000 customers to change their passwords. They believe that they have suffered a breach, but cannot yet identify the attack vector (this could be a rogue employee or poorly designed website).

While I applaud Hell Pizza for notifying their customers, since web users typically use the same email and password for websites they authenticate to, they didn’t adequately protect the information to begin with. According to sources at risky.biz, the hackers have obtained private information including passwords, email and home addresses and phone numbers, in addition to order information. Apparently, no cardholder data was obtained.

Merchants are continually trying to enhance the user experience by offering such services as online ordering. However, this can be a disservice to your customers if not properly implemented, as in the case of Hell Pizza. Developing a web site with insecure coding is a poor way to conduct business.

While representatives from Hell Pizza indicated that cardholder data wasn’t breached, it would seem likely that the online payment card flow would put their servers in scope for PCI. Vulnerability scanning, as conducted by an ASV (of which BHI SecureConnect is one) should have shown the SQL injection vulnerability (as reported by risky.biz). In addition, validation by completing the Self Assessment Questionnaire would indicate that one cannot provide direct database access from the internet (mySQL was reportedly listening on the public side), among many other violated requirements.

Hell Pizza should have conducted due diligence in assessing their security posture, and if in scope for PCI, have a contractual obligation to fulfill the PCI requirements.

This should also serve as a lesson for consumers to not use the same password for the websites that you access. A breach could potentially allow access to online banking and other personal records. Use a password databases, such as the open source (ie free) KeePass Password Safe, to keep your passwords safe and straight.

Filed under: Data Security, Internet Security, PCI Compliance, PCI DSS, PCI SAQ, PCI SSC, Payment Processing | Tags: , , , , , , , , , , , , , , , , , ,
Older Posts »



 
 
Learn More
Why SecureConnect
 Packages
 Managed Firewall
 PCI Compliance
 Archived Webinars
 SecureConnect Blog
 Case Studies
 FAQs

SecureConnect Scoop
About Us
 Approved Scanning Vendor
 Careers
 Press Releases
 Terms of Use
 Privacy Policy
 Site Map
 Next Steps
Send Informational Packet
 Get a Free PCI Scan
 Receive Communications from us
 Request a Free PCI Consultation
 Launch the PCI Wizard
 Email Us
 Sign Up
 mySecureConnect Login
 Call Direct: 888.949.7328

 Follow SecureConnect
Follow us with RSS feed Subscribe to our RSS feed
Follow us on Twitter Follow us on Twitter
Follow us on Facebook Become a Facebook fan
Follow us on Facebook See our events on Flickr
Visit our profile on Linkedin Join us on Linkedin
© 2010 BHI Advanced Internet, Inc. Provider of SecureConnect®. All Rights Reserved.