TARGET'S 3DES ENCRYPTION STATEMENT: WHAT DOES IT TELL US? WHAT INFORMATION IS MISSING? AND WHERE DOES PCI APPLY?

On December 27, Target issued an official statementabout hackers' access to encrypted debit card PIN data along with the payment card numbers accessed during its breach event.

Some have wondered whether Target's claims regarding the encrypted PIN codes are accurate. Although Target has not provided us with enough details to make a firm assertion that they are in fact accurate, there is nothing in their statement to indicate they are inaccurate, either. The details they have disclosed all seem to align with what we know is true about the payment workflow: Customer PIN codes are encrypted on the keypad using encryption keys stored in a limited-feature Hardware Security Module (HSM), and the encrypted PINs are sent to Target's payment processor, where they are validated in an HSM on the processor side. In other words, neither the unencrypted PIN data nor the encryption keys ever touch any of Target's systems.

A FRESH NEW START MEANS A FRESH NEW LOOK AT YOUR PCI STATUS

Happy New Year! It's the time of year when many of us celebrate a fresh start and make new resolutions. Your resolution may have been one of the common ones: get to the gym more, stress less, actually use those vacation days this year. And like you, hackers make their own resolutions: attack more, reduce the time it takes to access a private database, take advantage of new attack vectors, and generally, cause more mayhem.

BUILDING MORE MOMENTUM: WHY NOW IS THE PERFECT TIME FOR ACQUIRERS TO RE-TOOL THEIR PCI PROGRAMS

The last couple of months have felt like a rollercoaster ride for those of us in the security and compliance space, as we watch multiple retailers come forward about data breaches and the forensic evidence being uncovered. In the midst of this, ControlScan has conducted two important payments industry surveys that lend credence to the belief that now, more than ever, security is everyone's problem.

Visa sets PCI Compliance deadlines for rest whole of the world

One of the largest merchants operating the whole world will have less than two years to secure credit card transactions, Visa have been announced on Monday.

Level-one retailers -- those processing more than six million Visa transactions per year -- must prove adherence to the Payment Card Industry Data Security Standard (PCI DSS) by Sept. 30, 2010, Visa said in a news release. After that date, Visa may begin issuing fines to acquiring banks, which typically pass the penalties down to the merchants.

Some pci compliant hosting contrast

E-PCI-Compliant Hosting
PCI Compliant Hosting is crucial for e-commerce operators in order to accept major credit cards.  WebNet Hosting and the Miva Merchant Shopping Cart offer e-commerce solutions that fully adhere to all PCI Compliance guidelines.  Miva Merchant is now a fully PA-DSS Certified shopping cart application.

	3000MB Disc Space
	60,000MB Bandwidth/Transfer
	Up to 25,000 Products
	100% Uptime Guarantee

Best Practices for Achieving PCI Compliance

The Payment Card Industry Data Security Standard, or PCI DSS, provides a well-defined list of security requirements, but many organizations are left with more questions than answers when it comes to determining how best to address each requirement in a manner that will be considered acceptable for PCI compliance.

When approaching PCI compliance, much of the effort can often be handled in-house, but it’s also important to know when to ask for help. Misinterpretation of PCI requirements may lead to costly mistakes. To address the need for expert guidance, the PCI Security Standards Council maintains a program for training Qualified Security Assessors (QSA’s). 

PCI Compliance – Convert Drudgery Into a Powerful Security Framework

For my last session of the day at TRISC 2009, I decided to attend Joseph Krull's presentation on PCI Compliance.  Joe works as a consultant for Accenture and has performed 60+ PCI engagements for various companies.  If your organization does any processing of credit card information, my notes from that session below should be useful:

• As many as 65% of merchants are still not PCI compliant
• Fines can be just the beginning; service charges and market share price dilution for non-compliant merchants have already had substantial repercussions in the US and may soon reach other regions·
• Many retailers still don’t have a clear view of compliance, and cannot effectively identify gaps
• The first steps to PCI compliance are a thorough internal assessment and gap analysis – many merchants skip these steps and launch multiple costly projects
• PCI provides a regulatory and compliance framework to help prevent credit card fraud for organizations that process card payments
• The framework is comprehensive and effective but adherence to the specific standards is often challenging – primarily due to the complexities involved in both program design and implementation
• Any merchant that accepts or processes credit cards must maintain compliance with the PCI DSS.  Specific obligations vary based on transaction volumes.
• Focus right now is on the Level 4’s.
• TJX subject to 20 years of mandatory computer systems audits after massive breac.

PCI Compliance should be easy

Ken Cheney

When it comes to security, the highest standard to date is the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements for businesses that process payment card information.

Developed by Visa, American Express, Discover Financial Services, and other members of the PCI Security Standards Council, the PCI DSS is a collection of policies, procedures, and practices to protect customer account data. The standard includes specific requirements for strictly controlling access to customer data, authenticating business users, monitoring access, maintaining a secure network, and auditing system resources.

So, this is one tough standard to break, if followed correctly. But therein lies the rub, because according to a new study out from Verizon this week, a lot of companies aren’t completely following the PCI DSS well enough, which is leading to a marked increase in data breaches.

How much o

BEYOND PCI: OTHER REGULATIONS TO LOOK FOR IN 2010

Written by:
Marc D’Annunzio
Dec. 22, 2008

Marc is a partner
McKenna Long & Aldridge LLP 

One of the trends most likely to affect the card industry in 2009 is the prospect of additional regulation.  Two areas -- card practices and interchange -- are most likely to come under scrutiny.

Card Practices

Just a few days ago, the Federal Reserve, the Office of Thrift Supervision and the National Credit Union Administration announced the enactment of comprehensive new rules regarding card practices.  These rules, which will not take effect until July 1, 2010, impose restrictions on a number of controversial issuer practices, including interest rate increases, late fees and double-cycle billing.  Many industry observers predict that the rules will result in less credit being made available, and on stricter terms, than has been the case over the last several years.

These rules may not be the end of the matter.  Rep. Carolyn Maloney (D-NY), who in 2008 introduced the Credit Cardholders’ Bill of Rights Act of 2008 (which sought to regulate many of the same practices as the then-proposed Fed rules), stated that she was disappointed in the delayed effectiveness of the Fed rules and promised to revive the Credit Cardholders’ Bill of Rights in 2009 to, as she put it, “bridge the gap” between now and the effective date of the Fed rules.

Interchange

Security vs. PCI Compliance

Written by:
Fritz Young
Jan. 30, 2009

Security vs. PCI Compliance

Reading accounts of highly publicized data breaches over the last few months occurring in companies that are seemingly PCI compliant, begs the question, “does PCI compliance equal security?” The answer is, “it depends.” Unfortunately no business is ever completely secure, but companies can mitigate their risk and make it much harder and more resource intensive for anyone to breach their defenses. Becoming PCI DSS (Data Security Standard) compliant provides baseline security and is a great first step. But it is critical to implement both the spirit and the letter of the standard.

Many companies only implement the letter of the PCI DSS – checking the boxes, if you will. They have technology and processes in place that satisfy the exact letter of PCI standards, but do little to provide real security for their organizations. For example, requirement 11.1 allows for the use of a wireless analyzer (and some other options, but for the sake of the example we will use a wireless analyzer) to test for wireless access points. It does not specifically state where companies must test for access points, or if they should check for channels greater than 11 (wireless channels 12 and 13 exist, but not in the USA). The point is that there is some level of interpretation required when answering the question. Can a company boot up their wireless analyzer, leave it stationary even though the company has a large store, only check for channels permitted within the USA and then check that requirement off the list? At the very least a company can make a strong internal argument that the requirement is met.  As to whether or not their acquiring bank or another auditor would accept that as a valid response will likely depend on the entity.