Tag Archives: PCI DSS

The importance of conforming to PCI DSS

PCI commentators and recent surveys have again reinforced the importance of the Payment Card Industry Data Security Standard, as well as highlighting the penalties and pitfalls of ignoring PCI DSS guidelines. Writing for Infosecurity Magazine, independent security analyst Mark Gillespie collates and analyses recent findings which support and promote PCI DDS.

Gillespie identified the current confusion surrounding the application of and adherence to PCI DSS. Since its introduction in 2004 a number of big name brands have incurred fines for improper protection of cardholder data. The highest profile case occurred in 2007 when high street chain TK Maxx was penalised for a lack of adequate safeguards in its payment card system. Continue reading

Ensuring data integrity with PCI DSS

The Payment Card Industry Security Standards Council has only been a recognised entity for three years. In this short time compliance to its 12 step Data Security Standard model (PCI DSS) has helped improve the integrity of data on a global scale.

The PCI DSS is quite clear as to exactly what kinds of data need to be protected and this simplicity is one of its most powerful aspects. Protection of cardholder data, personal health information and personally identifiable information are of course key to proper data security. However, data protection under the PCI DSS regulations is not solely based on knowing which kinds of data to protect. It is also about accurate data tracking within a business network as a whole. Continue reading

Is PCI DSS Compliance effective? Not without Requirement 13

There has been widespread reporting this week of a recent fraud case where fully PCI-DSS Compliant businesses were victim to a huge and repeated breach which allowed the perpetrators to steal 130 million individual records.

Trustwave, a computer security firm, conducted its 2008 audit of Heartland on April 30 and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card-track data from Heartland’s network, and continued doing so for months before being discovered.
[ http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/ ]

The fact that some, if not all, of the companies involved in this fraud case were PCI DSS compliant before the attacks sparked questions about efficacy of PCI regulations. Steve Dauber, vice president of marketing at RedSeal, noted that PCI audits are only the beginning. 

“PCI is actually a pretty reasonable set of basic security recommendations,” he said. “The problem is that businesses mistake passing a PCI audit with being PCI compliant.  Audits aren’t comprehensive by nature— they will never catch every potential error in implementation. More importantly, audits occur at a point in time, but your IT infrastructure changes constantly.  So even if you do pass your audit, you may fall out of compliance the next week. If you want to benefit from PCI, you need to maintain compliance both comprehensively and continuously”.

Comprehensively and continuously? That is easier said than done.

I believe there is a bigger and more potentially widespread exposure that needs to be addressed

Let’s assume for a moment that these businesses had successfully secured their networks to prevent the hack in the first place. What about securing the backup strategy relating to this critical data ?

Data backup is one area that has received little or no attention in PC DSS Compliance discussions. In fact even the PCI DSS Compliance checklist makes little or no reference to what backup responsibility businesses have.

Here is the dilemma. A PCI DSS Compliant business must maintain a secure network (Requirement 6). All businesses must implement a robust data backup strategy, which involves geographical separation between production data and backup data. The minute the data is copied onto a tape or disk – which leaves the secure network – it is immediately at greater risk.

I believe that PCI DSS Compliance should add an additional requirement to the existing 12 to ensure businesses have a secure backup routine as well as a secure network.

This would be PCI DSS Compliance Requirement 13. Number 13 – unlucky for some – especially those who are still using unencrypted backup systems to protect their data

http://www.backup-technology.com/hsbc-fined-3000000-for-data-breaches/

Using encryption and online backup would ensure data was protected securely. It is a question of good business practice, not PCI DSS Compliance checklists, that should encourage this safer backup strategy.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal