Tag Archives: PCI

Making Administration of Compliance Easy

Compliance has been made frightening to most organizations through multiple regulatory mandates. It is now a difficult and tedious task to organize a product for SOX and PCI or HIPAA compliance. The manual workaround, auditing failures as well as intimidating pressure of disciplinary action under various acts makes gradual compliance unreasonable and undesirable. Therefore, enterprises are longing for easy compliance that are highly automated, tightly integrated, extensive, scalable and reliable solutions. Cloud computing services that incorporate superior capabilities, at the same time allow you to be in control of proliferating information and compliance requirements are now in high demand.

Automated cloud service that enable data collection, benchmark mapping, change of tracking, and report are designed to make auditing simple and easy, for both inside or outside the enterprise. For legal compliance, upbeat and proactive controls are created. In addition, they allow numerous compliance management and bring easy, centralized structure that permit definition of policy, as well as computerized compliance auditing process across platforms and environments. There is also provision of extensive library policies that set rules tackling some problems associated with compliance, which is built into some of the computing solutions in the cloud. This can be beneficial for automatically defining and scanning results on the dashboard that share similarity with the specific legal mandates. The outcome is that simplified compliance and permits viewing of data at a glance.

Majority cloud backup and storage systems come with uninterrupted features that burn out users that are unauthorized and tracks user’s activities. Changes to files, directories, registry keys, and provision of visible and immediate checkmating so as to avoid incident that may result in data compromise are kept by file integrity monitory software. The read and write protection and reconciliation maps in cloud backup systems, which follow changes to the original system, safeguarding sufficient security. For that reason, there is a reduction in management complexities while security is vastly made stronger.

Below are the functions of computing services in the cloud which you need to know:

– Help to centralize data management for the purpose of policy inspection, strategy, and reporting;
– Provide uninterrupted change management and integrity of configuration;
– Permit integration of software to prevent hosting intrusion, management against vulnerability, and control of application.

Users of cloud computing can be made aware of the incessant compliance expectations with uninterrupted visibility. With the help of cloud computing, labour intensive mistakes, errors of disconnected compliance products can be avoided. In addition, there is absolute reduction in the cost of compliance, as well as dramatic reduction in the complexity of operation with the help of cloud compliance. In fact, there are more to the benefits associated with cloud computing than what we have discussed above.

PCI DSS under review

The organisation responsible for the Payment Card Industry Data Security Standard (PCI DSS) has begun the process of analysing and updating the rules that aim to protect the private details of millions of consumers and businesses around the world.

The PCI Security Standards Council announced that it would be reviewing the current standards and making amendments, although it confirmed that businesses would not need to take additional action once a decision is reached.

The council published a report as to how the threats to the payment card industry have changed and evolved in the recent past and explained how this would be reflected in the revamped PCI DSS.

A variety of industry areas are covered by the PCI DSS and the first set of changes are to be instigated by October, with alternations to PIN security on cards. The PCI Security Standards Council said that it was preparing those who would be affected by the changes as the launch date draws near.

The buzzword surrounding the updated PCI DSS is flexibility and the council believes that businesses, financial institutions and PCI suppliers will be able to scale their operations and defences to match the severity of the threat, in addition to having access to improved tools for reporting and detecting vulnerabilities.

Significantly, there will be no additional obligations enforced as a result of the PCI DSS revision, with a greater emphasis on the allocation and appreciation of responsibility.

The council’s Bob Russo said that the fact that the update was only going to make small adjustments to the current PCI DSS underlined the robustness of the existing security standards.

Mr Russo went on to say that the council was giving organisations plenty of notice ahead of the changes in order to accommodate any necessary alterations or updates to policy and systems.

Further to updating the PCI DSS, the council is set to chair events at which key groups will be able to express their opinions and become involved in the process of formulating future security strategies.

PCI DSS updated with new regulations

Businesses dealing with payment card transactions will need to examine in detail the freshly updated security requirements from the Payment Card Industry Standards Council in order to ensure continued compliance and protection for customers.

The Payment Card Industry Data Security Standard (PCI DSS) is managed by this organisation, and it is accepted internationally by businesses of all kinds. Sub-categories of the overall set of rules have been updated in order to move with the ever changing technology and the threats against which businesses and consumers must be robustly defended.

The regulations governing PIN Transaction Security (PTS) and Point of Interaction (POI) are now moving into version 3.0, with the update representing three years of continuous review and analysis that runs in cycles within the PCI. Many hundreds of businesses have been involved in formulating the update, which ensures that real world threats are addressed.

The PCI Standards Council has confirmed that new requirements will see the standardisation of PIN entry terminals. This will alter the current rulings, which differ depending on whether the terminal is manned by a member of staff, remotely monitored or comprehensively encrypted, and by replacing these separate rules with a unified update it should be easier to comply whilst security is simultaneously improved.

Several new regulations have been implemented in order to increase security in key areas. This includes replacing older, less secure wireless standards for payment card data transmission with more robust alternatives, as well as requiring encryption of consumer information whenever it is handled by businesses and at every point on its journey.

The PCI Standards Council has accepted that these stricter regulations will require suitable technology to support them and, as such, have approved additional technology to help firms adhere to the regulations and make payment card information much harder to access if you do not have the requisite authority.

The PCI Standard Council’s Bob Russo said that protecting customer data and preventing loss or theft would be made far easier under the new regulations, with blanket encryption and improved wireless protocols making all the difference.

Ensuring data integrity with PCI DSS

The Payment Card Industry Security Standards Council has only been a recognised entity for three years. In this short time compliance to its 12 step Data Security Standard model (PCI DSS) has helped improve the integrity of data on a global scale.

The PCI DSS is quite clear as to exactly what kinds of data need to be protected and this simplicity is one of its most powerful aspects. Protection of cardholder data, personal health information and personally identifiable information are of course key to proper data security. However, data protection under the PCI DSS regulations is not solely based on knowing which kinds of data to protect. It is also about accurate data tracking within a business network as a whole. Continue reading

Is PCI DSS Compliance effective? Not without Requirement 13

There has been widespread reporting this week of a recent fraud case where fully PCI-DSS Compliant businesses were victim to a huge and repeated breach which allowed the perpetrators to steal 130 million individual records.

Trustwave, a computer security firm, conducted its 2008 audit of Heartland on April 30 and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card-track data from Heartland’s network, and continued doing so for months before being discovered.
[ http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/ ]

The fact that some, if not all, of the companies involved in this fraud case were PCI DSS compliant before the attacks sparked questions about efficacy of PCI regulations. Steve Dauber, vice president of marketing at RedSeal, noted that PCI audits are only the beginning. 

“PCI is actually a pretty reasonable set of basic security recommendations,” he said. “The problem is that businesses mistake passing a PCI audit with being PCI compliant.  Audits aren’t comprehensive by nature— they will never catch every potential error in implementation. More importantly, audits occur at a point in time, but your IT infrastructure changes constantly.  So even if you do pass your audit, you may fall out of compliance the next week. If you want to benefit from PCI, you need to maintain compliance both comprehensively and continuously”.

Comprehensively and continuously? That is easier said than done.

I believe there is a bigger and more potentially widespread exposure that needs to be addressed

Let’s assume for a moment that these businesses had successfully secured their networks to prevent the hack in the first place. What about securing the backup strategy relating to this critical data ?

Data backup is one area that has received little or no attention in PC DSS Compliance discussions. In fact even the PCI DSS Compliance checklist makes little or no reference to what backup responsibility businesses have.

Here is the dilemma. A PCI DSS Compliant business must maintain a secure network (Requirement 6). All businesses must implement a robust data backup strategy, which involves geographical separation between production data and backup data. The minute the data is copied onto a tape or disk – which leaves the secure network – it is immediately at greater risk.

I believe that PCI DSS Compliance should add an additional requirement to the existing 12 to ensure businesses have a secure backup routine as well as a secure network.

This would be PCI DSS Compliance Requirement 13. Number 13 – unlucky for some – especially those who are still using unencrypted backup systems to protect their data

http://www.backup-technology.com/hsbc-fined-3000000-for-data-breaches/

Using encryption and online backup would ensure data was protected securely. It is a question of good business practice, not PCI DSS Compliance checklists, that should encourage this safer backup strategy.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal