Your customers trust that you are providing them with the best products and service but are you providing them the best in regards to protecting their credit and debit card information? You have a legal obligation as a merchant to protect your customers’ cardholder data and maintain PCI compliance. But what is PCI compliance exactly?
Watch our latest video, PCI Introduction by SecureConnect, to get a better understanding on a notoriously confusing topic. It can be especially confusing to someone who does not have considerable technology knowledge and therefore it is often best left up to the experts, like SecureConnect.
If you store, process or transmit credit card data the PCI DSS requires you to have vulnerability scans performed on a quarterly basis both internally and externally. Vulnerability scans help to detect threats to your cardholder data environment and act as a way to monitor the security of your network.
By definition, vulnerability scanning is the automated process of proactively identifying vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. External and internal vulnerability scanning are two different processes which are performed separately. Therefore, it is important that you as a merchant understand the difference.
External Vulnerability Scanning
The easiest way to explain external vulnerability scanning is to think of it as a security guard that drives around a building to make sure that there are no open doors or broken windows that could pose as a way for an individual to gain unauthorized access into the building. In other words, external scanning is evaluating the security of your network from the perimeter of your firewall device. Whatever goes into or out of your network will be identified and assessed by this scanning process.
When vulnerability scans are performed they scan the target IP address and check if anything is exposed to the internet and if anything is vulnerable to exploitation. External vulnerability scanning, according to the PCI-DSS must be completed by an Approved Scanning Vendor (ASV). SecureConnect is one of the 133 companies that have received this ASV certification. We perform thousands of external vulnerability scans per year as one of the services offered to help merchants in their PCI compliance efforts. (more…)
This year’s PCI SSC North American Community Meeting was held at the Disney World Dolphin and Swan Hotel in Orlando, Florida. This event attracted more than 1,000 participants, representing 460 organizations from 17 countries. SecureConnect attended the event and was able to connect with many attendees and shared great conversations regarding PCI compliance and global payment security.
Here is a rundown of the topics discussed at the meeting from the PCI SSC:
Feedback on the standards in preparation for the release of the next version of the PCI DSS in 2013
New guidance on secure mobile payment acceptance application development
Updates to the Council’s Point-to-Point Encryption (P2PE) program
New guidelines for ATM security
New PCI training programs specifically the PCIP certification for entry-level PCI knowledge
Updates from PCI Special Interest Groups (SIG) on cloud, eCommerce and risk assessment
Feedback from the Meeting
The most valuable part of the community meeting, in my opinion, was the discussions involving feedback that has been received over the last year regarding the PCI DSS and its requirements. Since this year is considered a feedback year for the PCI DSS and no changes will be made to the requirements until 2013, it was a great opportunity to discuss what works and what does not work with the PCI DSS. It allows for any issues with the current version and/or emerging technologies to be considered and reflected in the development of the next version of the PCI DSS. The council bases possible changes for next year’s PCI DSS release on the feedback received. (more…)
As we enter into the last quarter of the year, it is time to start thinking about those year-end deadlines. One important deadline to keep in mind is the deadline to be compliant with the updated PCI DSS 2.0 standards. The 2.0 standards were announced the fall of 2010, and merchants have been informed with ample time to prepare and meet the requirements of the new standards.
Many businesses have already made the proper changes, but for those who haven’t, now is the time to review the new guidelines and to take the proper steps to being in compliance. There are no significant changes in the transition from version 1.2.1 to 2.0. The updates are just extensions and clarifications of the current standards, so you should take a moment to review them. (more…)
When you think of data security the first thing that pops into your head is internet security services – including firewalls, encrypted data and people sitting at computers crunching code. With all of that being true, it’s only one part of PCI security paradigm.
In turn, when people ask ‘what is PCI’ they are often surprised to learn that it’s not as complicated to understand as one might think. When you get down to the fundamental core of PCI, the factors and rules involved are actually quite basic to comprehend once you peel the layers away. The purpose is to essentially keep any cardholder data (electronic or physical) protected in safe a manner, locking down your business operations, to minimize risk and exposure of a breach. (more…)