advertisement
advertisement

This is page 2 of:

A Look at PCI in 2010

Pages: 1 2

January 6th, 2010
PCI Columnist Walt Conway sees PCI 2.0 mandating the use of automated cardholder data discovery tools, will impose rules that will literally overrun the council's PCI training program and will likely not alienate Level 2s enough to make a difference. (That's the secret to a happy marriage, knowing the precise moment that an aggravation level will overtake apathy and stopping nanoseconds short of it.)

But Conway sees the data discovery prediction the most significant. "If you have a lot of locations, you have work to do setting up and scanning all those databases, workstations and servers. Especially watch to see if the Council decides to implement data discovery like it did wireless scanning (Requirement 11.1). If this happens, merchants will not be able to sample locations and will have to search each one. The good news is that you can conduct these searches internally and there are good open source products available. Your QSA likely would only need to verify the results of your automated discovery and to review the scope of your search."

This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.

Pages: 1 2

Posted in IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Premium Content, Security/Fraud
advertisement

5 Comments | Read A Look at PCI in 2010

  1. Dave CISA/M/SP Says:
    January 7th, 2010 at 11:39 am

    Is anyone seeing movement towards revoking the “free pass” for transferring data unencrypted over private networks? In both Heartland and Hannaford data was being sniffed “on-the-fly”. Will the continuing trend towards malware-based data collection attacks drive the council to consider requiring the encryption of data “in flight”?

  2. Janice Gaines Says:
    January 7th, 2010 at 12:26 pm

    Anyone else here reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has a great chapter on security. Just Google “IT WARS” – check out a couple links down and read the interview with the author David Scott. (Full title is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium”).

  3. Walt Conway Says:
    January 7th, 2010 at 7:10 pm

    @Dave,
    The focus of DSS is data at rest, but as you observe, data in transit can be vulnerable. Like you, I would not be surprised to see some move by the Council addressing unencrypted data over private/internal networks. I just don’t know when. I can think of two arguments for sooner rather than later. First, they update the DSS to reflect current attack vectors, which as you point out applies here. Second, the Council is looking at “emerging technologies,” a couple of which can in theory address this issue.

    Will PCI DSS reflect this as a new requirement? I’d say it will someday. The uncertainty is when that day will be. Merchants and processors truly interested in security will address this issue without waiting for the Council to mandate it.

  4. Don Giddens Says:
    January 8th, 2010 at 3:46 pm

    Interesting article. I’m curious. What happens to the PA-DSS validation status of a payment application once the Security Council implements a new standards version? Does it have to be re-validated under the new standard in order to remain compliant? It was my understanding that an application would remain compliant and acceptable for new deployments until it hits the re-validation date listed on the Security Councils web-site for that application even if a new standard was issued. Once that date is reached, it would then have to be re-validated under the current standard. Is this a correct interpretation?

  5. Walt Conway Says:
    January 30th, 2010 at 6:35 pm

    Don,
    Thanks for your comment and question. My understanding is the same as yours. That is, you would revalidate your app against the new/revised PA-DSS when you next assessed, whether that is at the current expiry date, or when you either introduce a new version or make a significant change to the app. Don’t forget those last two events, either which triggers a revalidation.

Leave a Reply

Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.
advertisement

Most Recent Comments

"Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required?" -Ed

The Backward World Of Loyalty: "I'd Like A VCR, A Wired Phone and a Plastic Card-Based Loyalty Card, Please"

Walt Conway
The common thread in each case is immediacy. I carry no additional plastic in my wallet I can avoid. Then again, I'm not a typical consumer so maybe others have different experiences as retailers or consumers. Read more...

Neiman Marcus Goes Down, But Only For A Special Few

Steven P
We insist our staff check all changes (how ever small) on all the popular browsers. Its something we'd recommend to everyone. Read more...

The Never-Ending Dance Of Contactless Security

ed
Contactless should require multi-factor authentication for financial transactions. However, multi-factor authentication will nullify the main benefit of contactless transactions which is speed. Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required? Read more...

Home Depot's Try At Not Shutting Down Completely Leaves Customers Running In Circles

Bill N
This is SO Home Depot -- a lack of vigor resulting in rookie mistakes. I see it all the time in the stores. Read more...

MasterCard Pushing EMV PIN. Visa? Not So Much

James L.
When our company switched from AmEx to MC for business travel expenses, I thought we finally had the opportunity for chip/PIN & signature cards to facilitate the travel in Europe. "They're not available in the US yet", I was told by the bank representative who conducted the training on the new related expense reporting website. It was interesting to see that the chip card with mag stripe was available to my colleages in Canada. I thought the idea with chip & signature was to allow its use in both US & EU markets. One card - dual authorization methods. Read more...
Dan
I want Chip & PIN. With Chip & Signature, sure it has a an EMV chip, but then a fraudster could just steal my card, run it through the chip reader and then sign my name. The PIN adds an extra layer of security as only I (should) know it. At the very least, I would like to see a dual method wherein if the US insists on using Chip & Signature, our cards would work as Chip & PIN in countries where that is the norm. I am just sick of this back and forth. America needs to get off its high horse and comply with the world payment standards. Visa says Chip & Signature, MasterCard wants Chip & PIN and then Amex is mysteriously quiet. All of this talk....the government, banks, acquiring banks and card networks need to work together to make it affordable and easy to fast track EMV. Read more...

In The Security Vs. Compliance Battle Of The Mind, Security Is Winning

Andrew Jamieson
I think that this has the potential to provide a terrific win for the merchants in scope for these sorts of systems, and also to the security posture of payments as a whole - exactly because it should ensure that people who know what they are doing are the only ones involved in the details. Read more...

Guess CIO On iPad Trial: "This Is The Consumerization Of IT."

John Pruban
Because Apple provides little support at the enterprise level, it is interesting to watch the struggles as retailers implement. In Mike's case, he talks at great length about the augmentation of the customer experience. The biggest hole we see retailers struggle with here is basic wireless coverage. The experience goes bad quickly if, while your walking around, you get into the middle of a function and can't recover. Read more...

Brook
This phone is not "from Verizon". The operating system was written by Google. The hardware was manufactured by Samsung. The reason a person might buy such a device is to run Android software. Verizon is just the service provider that links the device to the telephone backbone and the Internet. Verizon has no right to tell users what software they can or cannot run on their devices. And "Google Wallet" or Verizon's (vaporware so far) competing product should be treated as just what they are: software. The users should be able to download and install their own choice. Read more...

Macy's In Australia: No, John, It's Not All Thanks To eBay

Ric
John Donahoe is so anxious to impress his Wall Street Masters that it comes as no surprise he exaggerated and got the facts wrong during the conference call. Read more...

In Theory, E-Commerce Sites Are Way Too Slow. But Do Customers Care?

Jason Goldberg
I love it when the data in vendor studies directly contradicts the conclusion, and thanks for calling it out. In the case of page load speed, while I am skeptical of the urban legends quantifying the effect of page load (1 conversion drop per 100ms, etc...), I have seen a number of first hand examples of improved performance directly improving bounce rate and conversion. So my own experience tells me that speed is an important factor in customer experience. I just don't believe it can be reduced to a simple equation. Read more...

Fortnum & Mason's PCI Weakness: Customer Service

Walt Conway
This is a great example of "customer service" trumping security. This situation also has me wondering if they also have a call recording system that captures and stores card data, too. Just for quality purposes, of course. It is disappointing that a leading retailer like Fortnum's would be so casually dismissive of their customers' security. Read more...
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.