Tag Archives: pci

[ISN] Overcoming paralysis – why financial services organisations have to race to update their Windows Server strategy

http://www.bobsguide.com/guide/news/2015/Jul/6/overcoming-paralysis-why-financial-services-organisations-have-to-race-to-update-their-windows-server-strategy.html By Dave Foreman, ECS, Practice Director Bob’s Guide July 6, 2015 Most of the technical support teams we work with know their Microsoft Server operating system inside out and have hardly lifted their phone to call Microsoft support in years. But this well-oiled machine is about to become IT departments’ biggest headache. With the end of Microsoft’s support for Server 2003 on July 14th 2015, migration from this rather old operating system has escalated from being a niggling worry to a high-risk agenda item. Only a handful of businesses have started their migration and even they will have to rely on Microsoft extended support. But this is not a cost-effective or risk-free option in the long term. At some point a new vulnerability in the operating system will be discovered and exploited; businesses will be exposed and the regulators will have a stronger case for non-compliance. According to the credit card industry’s PCI Security Council standards, if an unsupported operating system is Internet-facing, it will be logged as an automatic compliance failure. CIOs are caught between a rock and a hard place. Nobody wants to be caught in a position where they have to answer tough questions about plans to meet compliance and mitigate risk. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] PCI council gives up, dumbs down PCI DSS for small business

http://www.theregister.co.uk/2015/05/22/pci_council_drafts_small_biz_security_militia/ By Darren Pauli The Register 22 May 2015 The Payment Card Industry Security Standards Council has created a taskforce charged with improving security among small businesses. The prodigious task will be tackled by encouraging small businesses to adopt security best practice and simplified Payment Card Industry Data Security Standards (PCI DSS). Barclaycard payment security manager and taskforce chair Phil Jones says the Small Merchant Taskforce will focus on the most vulnerable business vertical. “Though incidents of fraud are low, it’s small merchants that are particularly vulnerable to attack from hackers,” Jones says. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The 10 Biggest Bank Card Hacks

http://www.wired.com/2014/12/top-ten-card-breaches/ By Kim Zetter Threat Level Wired.com 12.02.14 The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches. A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot. Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen. Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed. The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Incoming PCI council head ready to take on the hackers

http://www.csoonline.com/article/2838369/data-protection/incoming-pci-council-head-ready-to-take-on-the-hackers.html By Taylor Armerding CSO Oct 27, 2014 Stephen W. Orfei is the incoming general manager of the PCI Security Standards Council. He succeeds the council’s first general manager, Bob Russo, who will retire at the end of 2014. Orfei has decades of experience in payment technology, including 13 years in telecom with MCI International as director of international business marketing, and14 years in payments with MasterCard Worldwide, the last three as senior vice president of emerging payments platform, advanced technology. Earlier this month, Orfei applauded President Obama’s executive order requiring federal agencies to adopt EMV (chip and PIN) technology for government payment cards and for point-of-sale terminals at federal facilities. In a statement, Orfei called EMV a “critical layer in any payment security strategy,” but added that, “it is not by itself a silver bullet for data protection,” since it does not stop malware or card-not-present attacks. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Retailers warned to act now to protect against Backoff malware

http://www.computerworld.com/article/2599724/data-security/retailers-warned-to-act-now-to-protect-against-backoff-malware.html By Jaikumar Vijayan Computerworld Aug 27, 2014 The Payment Card Industry Security Standards Council on Wednesday issued a bulletin urging retailers to immediately review their security controls to ensure point-of-sale systems are protected against “Backoff,” a malware tool that was used in the massive data theft at retailer Target last year. The bulletin instructed all covered entities to update their antivirus suites and to change default and staff passwords controlling access to key payment systems and applications. The council, which is responsible for administering the PCI security standard, also urged merchants to inspect system logs for strange or unexplained activity, especially those involving transfers of large data sets to unknown locations. “The PCI Council additionally recommends that merchants consider implementing PCI-approved point-of-interaction (POI) devices” for encrypting credit and debit card data as the card is swiped or dipped into a payment terminal. Merchants should also consider deploying point-to-point encryption technologies to ensure that card data remains protected until received by a secure decryption facility, the advisory noted. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How healthcare can learn from retail’s IT security mistakes

http://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ By Patrick Ouellette Health IT Security July 24, 2014 There’s little doubt the healthcare industry’s perception of security and compliance has changed to a serious one within the past few years. While regulatory demands and business needs are certainly strong drivers, what should healthcare organizations be focusing on as cybersecurity threats grow in stature? Eric Cowperthwaite of Core Security and former CISO for Providence Health discussed with HealthITSecurity.com how identifying risks early on can help reduce exposures. The days of organizations that put effort into IT security being only large hospital systems and other organizations that had some sort of significant problem are certainly over. According to Cowperthwaite, there are a few indicators within the past 12-18 months that leads him to believe healthcare organizations, large and small, across the country are focusing on information security. “First is the amount of information security leaders hiring that’s being done,” he said. “And the second piece of it is the number of organizations that are sending their people to [security] conferences and training to help them interact with products and services providers.” Many of these changes have been driven by regulatory compliance, such as HIPAA, HITECH and Meaningful Use, but Cowperthwaite said there are other regulatory considerations, such as any hospital system being a tier 1 PCI merchant. Beyond compliance, the reality these days is that these organizations have a lot of data and there a lot of “bad actors” out there who like to steal data. There are main areas of focus that organizations should be beginning to worry about. First, Cowperthwaite said, though everyone is concerned about PHI disclosures because of bad publicity and potential fines, the other side of PHI disclosures is medical insurance fraud. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Ram Scraper Malware: Why PCI DSS Can’t Fix Retail

http://www.darkreading.com/attacks-breaches/ram-scraper-malware-why-pci-dss-cant-fix-retail/a/d-id/1297501 By Brian Riley Dark Reading 7/23/2014 There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data Target, Neiman Marcus, Michael’s, and possibly P.F. Chang’s all have one thing in common: They are recent victims of a type of malware called a RAM scraper that infects point of sale (POS) terminals. These data breaches occurred despite some, if not all, of these merchants complying with industry security standards. In Target’s case, government analysts estimate the total financial impact could reach as high as $12.2 billion. And the fallout continues. Target’s CEO Gregg Steinhafel set a new precedent, marking the first time that the head of a major corporation resigned due to a data breach. Merchants clearly must go beyond merely complying with industry security standards to reduce their risk, especially in relation to POS terminal malware. Why PCI DSS does not apply As you undoubtedly know, point of sale (POS) terminals are computers with card readers. Most computers have permanent storage, such as hard drives or flash memory, and temporary storage, such as random access memory (RAM). The security standard that dictates how payment card data is protected is called the Payment Card Industry Data Security Standard (PCI DSS). It requires merchants to encrypt credit card data residing on permanent storage or traversing its publicly accessible networks, but not while being processed in RAM. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Don’t Waste Your Money: Are you staying at a hacker-friendly hotel?

http://wtkr.com/2014/07/08/dont-waste-your-money-are-you-staying-at-a-hacker-friendly-hotel/ By Doris Taylor WTKR.com July 8, 2014 As the travel season heats up, Consumer Reports cautions that some popular hotel and motel chains could be vulnerable to hackers because of weak security systems. The major credit-card companies require businesses to have standard data protections if they want to accept credit and debit cards. It’s called being PCI compliant. But Consumer Reports found that a number of hotels may not be. At a Super 8 motel in New York, the manager said he “had not heard” about PCI compliance. An assistant general manager at a Red Lion in California also said, “I never heard of this.” Similarly, a manager at an America’s Best Value in Washington state said, “I have no idea” about PCI compliance. In the past, hackers have taken advantage of weak security at hotels. For instance, there were three documented data breaches at properties of Wyndham Worldwide several years ago. According to a complaint by the Federal Trade Commission, “security failures” at Wyndham Worldwide led to more than $10 million in unauthorized charges. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail