PCI DSS, Myths

There is a lot, a heck of a lot of mis information doing the rounds in regards to the PCI DSS.

We have put together some of the most common myths in relation to PCI compliance, below are a couple of myths doing the rounds, if you would like the full list then please use the contact page and we will email the full document to you.

Most of our transactions are online and therefore we do not take sufficient amounts of transactions over the phone to warrant compliance above level 4…..

The number of transactions conducted over the phone, internet and other applications are cumulative and therefore it is the total number of transactions that are relevant regardless as to where or how they have been processed. For example if an organisation takes less than 20,000 Visa/MasterCard transactions over the phone but process over 1 million via other means such as internet, tablet applications etc they must ensure they meet all the controls for level 2 compliance for phone calls as well as e commerce.

 

My organisation is buying/has bought PCI FAS approved equipment

Many organisations are investing high levels of capex into PCI DSS approved equipment to address the requirement to be approved, the issue with this is although it is useful to have PCI compliant hardware and software to meet certain requirements, the organisation still has to meet ALL of the controls in order to pass the audit which will in all certainty still be a complex, expensive and long-winded process.

Do organisations using third-party processors have to be PCI compliant?
Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance.  However, it does not mean they can ignore PCI. You and or your organisation must ensure ALL controls are met and maintain.

I’m a small merchant who only takes a handful of cards, so I don’t need PCI.
This is a common misunderstanding, small merchants handling small numbers of transactions per year believe they are either exempt from compliance or believe they only need to be level self certified. If you are a merchant and are set up to take/process cards transactions by any mechanism – then you need to be complaint. In addition all transaction types count towards a cumulative total to determine what level of compliance a merchant or organisation needs to adhere to.

One vendor and product will make us compliant.
Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities and excludes positioning these with other requirements of PCI DSS, the resulting perception of a ‘silver bullet’ might lead some to believe that the point product provides ‘compliance’, when it’s really implementing just one or a few pieces of the standard. The PCI Security Standards Council urges merchants and processors to avoid focusing on point products for PCI security and compliance. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the ‘big picture’ related to the intent of PCI DSS requirements.

PCI DSS, CVV seller network closed down

The Serious Organised Crime Agency (SOCA), working in collaboration with the FBI and the US Ministry of Justice, has shut down 36 major CVV sellers’ websites that were trading in stolen credit card details and online banking credentials. SOCA says the closures will reduce international fraud by more than £500 million a year.

The carder sites acted as online marketplaces for stolen card data, using e-commerce platforms known as Automated Vending Carts (AVCs) to collect the card data from criminals and then resell the account details to buyers around the world.

SOCA, the UK national police agency whose auspices include fraud and computer crime, said it has been tracking the development of AVCs and monitoring their use for some time. Over a two-year period, it worked with the FBI in the US, the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police and the Romanian National Police, to recover more than 2.5 million cards and credentials of compromised personal and financial information. It said the recovered data has been passed to UK and overseas financial institutions to help prevent further fraud from taking place against the accounts.

The case underlines the need for merchants and service providers to “ensure they comply with the requirements of PCI DSS to protect card holder data and prevent it from ending up on sites where the data can be sold for a couple of pounds.”

For the full story visit Search Security

PCI DSS Am I Affected?

This is a question I am often asked, the short and simple answer is yes.

Don’t just take my word for it, View this short animated video for a “tongue in cheek” look at the history of the evolution of payment card security and the PCI Security Standards Council (PCI SSC), the organization responsible for the PCI Data Security Standard (PCI DSS) and other standards for keeping cardholder data secure

 

PCI

PCI DSS will become a major issue for merchants this year, as from now, January 2012 all assessments will now be based on version 2.

PCI DSS requirements or controls are mandatory – if an organisation wants to comply with
PCI DSS then it must comply with every requirement laid out in the standard. In contrast, ISO 27001 controls are suggested controls, and each organisation has the flexibility to decide which controls it wants to implement dependent upon the risk appetite of the organisation.

PCI DSS version 2. must be adopted by all organisations with payment card data by 1 January 2011, and from 1 January 2012 all assessments must be against version 2. of the standard.

PCI DSS was developed by the major credit card companies as a guideline to help protect organizations that process card payments against fraud, hacking and various other security vulnerabilities and threats.

PCI DSS requires internal and external scanning of both wired and wireless networks.

PCI DSS mandates that scanning actually happens on schedule, while vulnerability
assessment helps find the holes that attackers may exploit to steal the card data. PCI DSS compliance for large merchants (Level 1) is a major undertaking that costs tens of thousands of pounds and takes many months.

Security scanning companies interested in providing scan services as part of the PCI program must comply with the requirements of the PCI DSS and must successfully complete the PCI Security Scanning Vendor Testing and Approval Process. Qualified Security Assessors (PA-QSAs)

The Payment Card Data Security Standards (PCI DSS) defines twelve (12) requirements for compliance, organized into six (6) categories, below . . .

BUILD AND MAINTAIN A SECURE NETWORK

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PROTECT CARDHOLDER DATA

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

IMPLEMENT STRONG ACCESS CONTROL MEASURES

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

REGULARLY MONITOR AND TEST NETWORKS

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

MAINTAIN AN INFORMATION SECURITY POLICY

Requirement 12: Maintain a policy that addresses information security

Hotels| PCI DSS| Credit Cards

Telephone & internet hacking and data theft are becoming major concerns for businesses across industries. Irrespective of size, if your business accepts credit cards as a mode of payment, it immediately exposes itself to the huge threat of data hacking, theft and breach. The hospitality industry is no different. With the travel industry growing rapidly, hotels and restaurants access and store customers credit card information and feedback forms as part of their accounts and CRM on a daily basis.  It has become imperative to protect this guest information and data with uttermost privacy. In fact, according to a recent study, hotels and restaurants have accounted for the largest amount of credit card breaches. Thus, the hospitality sector has no choice but to comply with Payment Card Industry Data Security Standard (PCI DSS) requirements to secure itself and protect against data thefts and loss.

PCI DSS standards maybe overwhelming for smaller hotels and restaurants, but with a robust hotel software or hotel ERP, hoteliers can secure their networks to run at optimal capacity.

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS), are a set of requirements that any business using credit card as a payment mode must adhere to. These are a set of guidelines and IT requirements that can be implemented while configuring IT and payment processing environments.

PCI DSS was established by five of the world’s major card networks: American Express, Visa, Discover, JCB and MasterCard.

Where Do PCI DSS Standards Apply?

PCI DSS standards are a set of international security requirements that govern all areas of sensitive guest payment card data processing such as:

  • Magnetic card stripe
  • Security codes and passwords on all property applications, includingWindows
  • PIN that results when a transaction is authorized
  • Physical security of printed reports

Requirements for a PCI DSS Certification

Hotels must meet specific requirements to earn a PCI DSS certification.  These requirements include standards for:

  • Network security – firewalls and password configuration
  • Using secure PCI-certified system applications
  • Restrictions on cardholder data access – both electronically and physically

Advantages of PCI DSS to the Hospitality Sector

Data theft could result in a hotel or restaurant being black listed, resulting in loss of thousands of dollars of revenue. PCI DSS benefits a hospitality property in terms of

  • Better protection of sensitive company & guest data
  • Reduced risk of data theft
  • New revenue opportunities
  • Optimized processes and systems
  • Improved efficiency and brand value

PCI DSS also protects a hotel in terms of providing strong access control measures. It also regularly monitors and tests security of the network and maintains a vulnerability management program to deal with breach.

How to Stay PCI DSS Compliant

Here is a quick list of things to do so that your hotel property becomes PCI DSS compliant

  • Install and maintain a firewall to protect cardholder data
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Avoid using vendor-supplied default settings for system passwords and other security parameters
  • Encrypt transmission of cardholder data across open and public networks
  • Ensure your anti-virus software is always updated
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security

The onus really is on you to become PCI DSS compliant and verify your compliance with each payment card brand if you are an independent hotel, restaurant or resort. If you are part of a franchise, reach out to your franchisor to see they have implemented a PCI compliance program for their franchisees or if they are offering any guidance.

PCI DSS

PCI SECURITY STANDARDS COUNCIL ANNOUNCES UPDATE TO POINT-TOPOINT ENCRYPTION PROGRAM

The PCI Security Standards Council (PCI SSC),
a global, open industry standards body providing management of the Payment Card
Industry Data Security Standard (PCI DSS), PIN Transaction Security (PTS)
requirements and the Payment Application Data Security Standard (PA-DSS), today
announced availability of updated requirements for point-to-point encryption (P2PE)
solution providers to implement hardware- based solutions for merchants to use,
including testing procedures and training for assessing these solutions.
The Council first introduced its point-to-point encryption program at the end of 2011.
The initial requirements set the standard for hardware-based point-to-point encryption
solutions, providing a method for vendors to validate their P2PE solutions and for
merchants to reduce the scope of their PCI DSS assessments by using a validated
P2PE solution for accepting and processing payment card data.

You can download the summary of changes here

PCI-DSS and the ICO

Companies that fall below card payment standards risk being fined, ICO says, this is in addition to the PCI fines and costs!

Businesses that fall short of set standards for ensuring the security of credit card data could be fined, by the UK’s data protection watchdog.

The Information Commissioner’s Office (ICO) said that retailers that fail to process payment information in accordance with the Payment Card Industry Data Security Standard (PCI DSS) “or provide equivalent protection when processing customers’ credit card details” risk action being taken against them.

PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions. The standard was established by the PCI Security Standard Council which comprises major payment card brands including American Express, Visa and MasterCard.

Under UK data protection laws the ICO has the power to fine organisations up to £500,000 for serious breaches of the laws which govern the protection of personal data. UK organisations that store personally identifiable information must adhere to certain principles, which include ensuring that data is not accidentally lost or damaged and is properly secure, under the provisions of the Data Protection Act.

The ICO issued its warning after finding that website hackers had been able to access the credit card information of 5,000 consumers that had shopped with cosmetics retailer Lush. The ICO said the data was “compromised” for four months between October last year and January 2011.

Lush received 95 complaints from customers who had been victims of fraud. It identified a “security lapse” in January this year and immediately restored the website’s security, the ICO said.

An ICO investigation found that measures Lush employed to secure customers’ payment details were “not sufficient to prevent a determined attack on their website”. The retailer’s methods for recording suspicious activity were not adequate either and this meant there was a delay in the time it took the company to spot that its security had been breached, the ICO said.

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals,” Sally Anne Poole, Acting Head of Enforcement at the ICO, said in a statement.

“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back,” Poole said.

Source: Out-Law.com

What this means for companies in the UK is that not only will they face potential fines of up to £300,000 from PCI they will also, potentially face a double fine from the ICO as well. That gives a total potential fine of up to £800,000. How many businesses could afford to pay that, as well as the costs involved in the recovery of any monies lost by the card companies caused by fraud following the failure of a business to take the measures required by PCI-DSS.

PCI DSS

Just a quick update on our PCi telephony solution.

The developers have been working flat out with the PCI and are well on the way to achieving Level 1 accreditation for the Pay-Tel product.

This places our product beside such large and distinguished names as Sage pay and paypal who have level 1 accreditation for online payments services. To our knowledge no one, as yet, has achieved level 1 for telephony solutions.

We hop to have this accreditation signed up within the next few weeks

 

We will keep you posted!

P.S. our PCiTWO product for smaller merchants is also in development, this should be launched during the summer.