Quantcast StorefrontBacktalk » Search Results » PCI compliance
advertisement
advertisement

Data Breach Cost Numbers Games

January 28th, 2010

Over the last few weeks, one of the most common questions we’re hearing discussed is “Is PCI really worth it?” These are multi-billion-dollar retail chains asking this question. But there’s a lot more behind the question than it might initially seem.

In a marked contrast to the same kinds of questions two years ago, the intent is not to ignore security. Indeed, many of the chains considering such a heretical question are already putting in place security procedures that go well beyond current PCI requirements. This isn’t a safety or security issue. It’s a simple CFO’s ROI balance sheet, contrasting the bureaucratic and paperwork costs of dealing with the very formal PCI procedure with the limited fines and other bad things that will happen if a chain suddenly stops pursuing PCI compliance. A report released this month from Ponemon tried to quantify the cost of breaches today, but its conclusions are rather underwhelming.

Read more...

advertisement

Will Old OS Cause PCI Violation? No, But Marketing Still Says So

January 26th, 2010

For your overflowing folder marked “Ludicrous PCI Scare Tactics That Too Many People Believe” comes a renewed effort from some security vendors to say that out-of-date operating systems this year will cause instant PCI non-compliance. The cure: Give the vendor a lot more money. (Funny how that “cure” seems to treat so many ills in these letters. It’s the Penicillin of PCI.)

A letter from a POS vendor making the rounds warns retailers—under the headline “Information Security Advisory”—that an out-of-date OS will cause lack of compliance with PCI. The warning isn’t true, but the popularity of this and related PCI claims is moving beyond annoying. Are these vendors lying or is marketing being allowed to make the claims without anyone checking? A recession drives marketers to desperate measures. (OK, so does prosperity, but let’s not go there.)

Read more...

advertisement

Can Validating PCI Compliance Increase Your Vulnerability To A Breach?

January 25th, 2010

PCI Columnist Walter Conway argues that it may sound like heresy coming from a QSA, but he sees some merchants over-emphasizing their PCI annual assessment. The main event for them is a clean Report on Compliance (ROC) for Level 1 (and soon Level 2) merchants or a Self-Assessment Questionnaire (SAQ) for everybody else. They believe that once the ROC is signed, they can relax until the next year.

But PCI is not like that. PCI has requirements that demand regular attention if merchants are to remain compliant the other 364 days in a year. CIOs and merchants who focus only on their annual PCI validation may actually find that they unintentionally make themselves more vulnerable to a costly data breach. They also make their PCI revalidation the following year more difficult, and possibly more expensive, than it has to be.

Read more...

advertisement

NRF + PCI = CIO Job Security

January 14th, 2010

For retail CIOs, this is the worst of times and it is the best of times. It may be the worst of times because the emergence of smartphones at the POS, the increase in the amount and availability of customer data, and the growing tokenization and end-to-end (E2E) encryption options may have CIOs (and their QSAs) reaching for the aspirin bottle. On the other hand, it may be the best of times because the CIOs who can address these challenges will be rock stars in their companies.

At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside – or even outside – their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. PCI Columnist Walt Conway can think of several merchants he works with that will be looking at these devices very seriously. But, he argues, the PCI implications are complicated.

Read more...

advertisement

A Look at PCI in 2010

January 6th, 2010

PCI Columnist Walt Conway sees PCI 2.0 mandating the use of automated cardholder data discovery tools, will impose rules that will literally overrun the council’s PCI training program and will likely not alienate Level 2s enough to make a difference. (That’s the secret to a happy marriage, knowing the precise moment that an aggravation level will overtake apathy and stopping nanoseconds short of it.)

But Conway sees the data discovery prediction the most significant. “If you have a lot of locations, you have work to do setting up and scanning all those databases, workstations and servers. Especially watch to see if the Council decides to implement data discovery like it did wireless scanning (Requirement 11.1). If this happens, merchants will not be able to sample locations and will have to search each one. The good news is that you can conduct these searches internally and there are good open source products available. Your QSA likely would only need to verify the results of your automated discovery and to review the scope of your search.”

Read more...

When It Comes To PCI Compliance, Franchisors Are Screwed

December 16th, 2009

When it comes to franchise-based retailers, Franchisee Columnist Todd Michaud opines, PCI Compliance is broken, plain and simple. It simply does not address the complexities of the franchisee/franchisor business model and, in the end, leaves the franchisor holding the bag. Because each franchisee is a separate merchant, most large franchise organizations are only required to meet PCI Level 4 requirements. Chains are forced to make tough decisions about how much risk they are willing to accept and what they are willing (or not willing) to do to protect their brand integrity.

It boggles his mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies–my firm included–are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.

Read more...

Why Are You More Afraid Of A QSA Than A Cyberthief?

December 16th, 2009

Do cybercriminals concern you? Are you afraid that you might lose cardholder data? Are you worried that your internal users are downloading malware from the Web? If so, PCI Columnist Walt Conway has a question for you: Why are you more afraid of your QSA than you are of a cyberthief?

Consider this example: A merchant shows its QSA its Web application firewall (WAF) and asks the QSA to mark it compliant with PCI Requirement 6.6. But the QSA probes deeper, and he finds that the WAF is in “learning” mode, which means it is letting everything through. Indeed, the WAF has been in learning mode since it was installed after the last assessment a year ago, meaning it is pretty useless from a security point of view and definitely not meeting the intent of the requirement.

Read more...

The Corporate Travel Card PCI Challenge

December 8th, 2009

When PCI Columnist Walter Conway played high school football, the coach once said to him, “Son, there are three ways you can do things: the right way; the wrong way; and the coach’s way. Which way are you going to do things?” To which he replied, “the coach’s way, sir.” PCI can sometimes get like that when the card brands can’t agree among themselves as to whether something is in-scope or out-of-scope.

Most companies issue their employee road warriors with corporate travel cards. Companies also issue purchasing or procurement cards that their staff use to buy everything from office supplies to store fixtures. Most of these cards are American Express, MasterCard or Visa branded. Companies store the PANs in databases that are accessible to travelers and others who use the data for expense reporting and tracking. In my experience, the PANs get printed on hardcopy reports. The question for IT execs is, do you need to include these cards in your (merchant) PCI scope? The surprise answer is that it depends on where you store the cardholder data and, interestingly, on which brand of card you choose.

Read more...

Retailers Sue POS Vendor, Questions Raised Where PCI Duties Stop

December 2nd, 2009

Now that a PCI lawsuit brought by four restaurants against a POS vendor and a systems integrator has been given class-action status, the case will survive and force a very interesting debate about exactly where a retailer’s PCI liability should start.

The case involves four Louisiana restaurant groups—doing business as Crawfish Town USA, Don’s Seafood and Steakhouse, Picante’s Mexican Restaurant, Mel’s Diner Part II and Sammy’s Grill—suing their POS vendor, Radiant Systems (which owns the Aloha POS systems used by these chains), along with systems integrator Computer World (not to be confused with the publication Computerworld). But when you drill into the details of the lawsuit, it gets more interesting. One of the key accusations against Computer World is that it used vendor default passwords for systems with many of these restaurants, for easier remote administration. The lawsuit correctly points out that PCI bans retailers from using such vendor default passwords. But that’s the key. It’s the retailers that are not permitted to use these defaults. Was integrator Computer World, in this scenario, acting as an agent of the POS manufacturer—as a reseller—or as an agent of the retailer–as an integrator?

Read more...

PCI Human Train Wreck Coming Next Year For Level 2s

November 30th, 2009

Many Level 2 merchants are just now realizing that their PCI world has changed. Under rules announced this summer, Level 2 MasterCard merchants—like their Level 1 brethren—will require an onsite assessment by a QSA starting in 2010. But how big a difference, asks PCI Columnist Walter Conway, is there really between self-assessing and an onsite review? Actually, there are 525 differences.

Conway’s concern is the almost inevitable fourth quarter 2010 PCI train wreck as the new rules collide with human frailty and the calendar. The result may be that even some Level 1 merchants and processors don’t get their assessments (and ROCs) completed on schedule.

Read more...

Going Out On A Limb With Out Of Scope

November 18th, 2009

This week marks the debut of StorefrontBacktalk’s new PCI columnist, Walter Conway, and Conway debuts by trying to decipher encrypted tea leaves of the PCI Council’s position on out-of-scope data. what does “the means to decrypt” include? We need, as always, to look at the Council’s intention and not just dissect its words. Although this sentence was followed by a discussion of who manages the encryption keys, I believe the Council intends “decrypt” to mean any way to get from encrypted or tokenized data (i.e., out of scope) to plain text data (i.e., in scope).

That includes gaining access to the keys, but it also includes access to token lookup tables or any other way to get back to the original data. That means you need to be just as concerned with social engineering attacks, malicious insiders and phishing as you do with hackers stealing encryption keys.

Read more...

Visa Pushes Back PIN Pad Fine Threat To 2012

October 15th, 2009

After some serious retail pushback—particularly in the gas station sector—Visa has relented and agreed to back off an earlier PIN pad compliance deadline originally set for July 1, 2010, some 7-and-a-half months away. The new policy isn’t threatening fines until Aug. 1, 2012.

But the changes were mostly fueled by strong retail lobbying efforts. Beyond the convenience retailers that NACS represents, several of the nation’s largest chains—including at least one major department store—were threatening to abruptly cut off PIN debit at the deadline, possibly switching to signature debit to temporarily sidestep the issue. The tactic is not dissimilar from what Best Buy did this summer when it threatened Visa over contactless payment debit charges.

Read more...

Enterprise Encryption Meets Corporate Reality

October 15th, 2009

IT execs want to know how the implementation of an end-to-end encryption approach can be integrated with their million-dollar-plus investments in enterprise encryption and key management systems. The last thing anyone wants to hear is that they spent tons of money to meet PCI DSS 3.4 and 3.6 (encryption and key management), only to be told that they wasted their money.

PCI Columnist David Taylor heard from one retail leader who was especially upset about Visa’s reference to ANS X9.24 as the key management best practice, mainly because it’s so focused on encrypting PINs and is not meant to be a general-purpose key management system. He suspects this concern will mushroom into a real battle unless technology vendors can make it clear how investments in enterprise key management systems will be preserved while still meeting ANS X9.24. These standards were, after all, designed for the financial services industry.

Read more...

Lawsuit: A Heartland Manager Resigned Because Of PCI Compliance Issues

October 8th, 2009

As the lawsuits involving Heartland’s massive data breach move through the court system, an unusual claim was inserted into a court filing. The September 23 filing in the U.S. District Court for the Southern District of Texas was trying to raise questions about Heartland’s post-breach conduct. It then shared the following anecdote without further explanation.

“On the day after the data breach, Heartland conducted a Webinar about the data breach for its high-level employees, sales representatives and/or relationship managers. Upon information and belief, Heartland relationship managers were told that PCI compliance was not a big deal. One of Heartland’s relationship managers resigned on or around April 23, 2009, in part because of Heartland’s statements regarding its PCI compliance. A Referee’s Decision in a Delaware Department of Labor proceeding reached the conclusion that this relationship manager had ‘good cause’ to leave her position at Heartland based, in part, on Heartland’s conduct.” That might prove quite significant, or it could be an irrelevant red herring. Either way, it’s not the kind of detail we see very often.


Does Visa’s Encryption Statement Offer A “Tacit Endorsement”?

October 8th, 2009

Visa’s just announced best practices are designed to provide guidance and give tacit endorsement to existing end-to-end encryption and, to some extent, tokenization. Merchants are likely to see it as “something else to do” and as further evidence that the card brands will continue to go their own way relative to data security despite the PCI DSS industry standards.

But PCI Columnist David Taylor sees something else interesting here. “For the last four to five years, companies have been told that achieving PCI compliance is much easier if they segment their network. Otherwise, all their corporate systems are in PCI scope. But network segmentation is not a PCI standard, per se. If an organization wants to keep their entire network and the connected systems in scope, it’s up to the company’s management.”

Read more...

Visa’s Retail Token Advice Of Token Value

October 8th, 2009

Visa on Monday (Oct. 5) issued a document to ostensibly help retailers figure out how best to navigate the new encryption and tokenization landscape. But as a practical matter, the document did little beyond rehash conventional wisdom and long-standing Visa and PCI best practices. It felt more like a quintessential psychologist’s advice session: “Dr. Visa, what should we do about tokenization?” “That’s an excellent question, Mr. CIO. What do you think you should do?” The document danced around the key issues about which retailers would truly love strong guidance from Visa, ranging from whether tokens could ever conceivably be considered out of PCI scope to whether retailers are actually encouraged to retain such tokens on their own servers.

But other issues are emerging about tokens. For example, the risk of storing convenient metadata in the tokens, info such as SKUs and exact time/place of purchase and CRM info. Although tempting, such convenience could prove disastrous if a retailer starts holding the data internally and then outsources without remembering to do an intense data cleanse.

Read more...

Baker By Day, IT Rockstar By Night

October 8th, 2009

Just because Danielle wears an apron and makes sandwiches all day, doesn’t mean she can’t solve your most challenging IT problems. If you really want to unlock the potential in your POS system, you need to give up control, argues Franchisee Columnist Todd Michaud.

You need to turn to the collective knowledge and experience of the people who use the system every day and empower them to “create a better mousetrap.” Sure, there are some things that are non-negotiable, like PCI compliance. But when it comes to things like POS menu design, leverage the hundreds or thousands of great ideas in your system to produce the best system possible.

Read more...

The Two Scenarios Coming From The PWC PCI Report

September 30th, 2009

At the PCI SSC Community Meeting last week, the biggest highlight was the presentation of a report the group sought from PricewaterhouseCoopers (PWC). The first presentation of the PWC report of PCI Emerging Technologies made it clear that by expanding the technological scope of PCI DSS, companies will be able to reduce the scope of their PCI compliance efforts. High priorities over the next year will be end-to-end encryption, tokenization and virtual terminals. But, asks PCI Columnist David Taylor, is it safe to act now?

It’s clear that Fortune 1000 merchants still enjoy their distaste for PCI DSS and their distrust of the process. And it’s fair to say that many merchants actually hate the PCI standards and their purveyors. Still, at last week’s meeting, the Standards Council and the card brands attempted to embrace their detractors via the oft-repeated “we want your feedback” refrain. The response? The merchants in attendance were generally well behaved in public (perhaps they fear reprisals), and there were no reported fistfights, as much fun as that would have been. And one of the reasons for this less-than-hostile response was the PWC report itself, which made it clear that the SSC (and, presumably, the card brands) were open to making some much-needed changes to the standards.

Read more...

The CIO Dilemma: When The Franchisee Wants To Use Cousin Gino For Local Tech Support

September 22nd, 2009

“I understand that your cousin Gino might be one of the best technology service providers in central New Jersey, but I’m just not sure if we can use him as part of this program.” One of the classic battles between franchisees and their chain’s CIO, argues Franchisee Columnist Todd Michaud, is the use of local support resources. When it comes to technology providers, most franchisees “have a guy that can do this better, faster, cheaper” than anything that is designed at a national level.

It’s a compelling argument. There is a lot to be said for smaller companies that are hungry and constantly go the extra mile. But there’s a reason why national chain CIOs do—and must—often resist.

Read more...

Prepare Ye List Of PCI Grievances

September 16th, 2009

Depending on your perspective, the upcoming Community Meeting of the PCI SSC members is a “chance to provide feedback” or a place to “share ideas” regarding the standards or “Whinefest 2009.” PCI Columnist David Taylor is taking a perspective that dates back to the founding fathers and preparing a “List of Grievances.”

Among the complaints: No guidance, the standards are designed for a bygone era of technology, the standards are anything but standardized, why should banks have to not comply with PCI?, compliance gamemanship and “We Don’t Need No Stinkin’ Credit Card Data.”

Read more...

Should Chains Still Use Payment Card Data For CRM?

September 16th, 2009

For decades, major retail chains have always used payment card data for various purposes beyond processing transactions, often as a practical customer identification means, typically for CRM and purchase history purposes. Although it has never been considered ideal, retailers did it as a matter of pragmatism, in the same way that universities and many businesses have historically used Social Security numbers to identify customers, even though they were never supposed to.

But in recent years, PCI advocates—especially the card brand executives—have discouraged the practice, arguing that the safest process is to use payment card numbers to process a payment and to then delete it as quickly as possible. Having those numbers lying around—especially spread into marketing and sales departments—was simply increasing the chance that someone unauthorized could access the data. But the guidance is vague and subject to economic considerations.

Read more...

PCI Compliance Could Have Stopped Gonzalez

September 8th, 2009

PCI Columnist David Taylor writes that he “actually believes” that the PCI DSS controls, implemented in an “above average” way, could have stopped the Gonzalez-led criminal masterminds from breaking into a company. Not all companies, but a company with above average security.

“Let’s say a group of retailers is being chased through the jungle by a tiger named, say, Gonzalez. To avoid being eaten by the tiger, it’s not necessary that each retailer run the fastest, but merely that each retailer should run faster than the slowest retailer,” he writes.

Read more...

Re-Thinking PCI Assessor Selection: Does Quality Matter?

August 26th, 2009

PCI Columnist David Taylor has, for years, counseled retailers to hire quality QSAs and avoid the low-cost easy graders, who will pass for cash. But the latest comments by the PCI Council and MasterCard and making Taylor rethink that advice. Said one retail IT exec: “Why should we bother doing PCI ‘right?’ We’ve always stayed away from the low-ball QSAs that would just rubber stamp our compliance. We paid premium prices to get the best assessment. But, if we get breached, it probably won’t matter. The card brands will just bring in an ‘A List’ forensic team and all they have to find is one little thing (out of 200+ controls) and suddenly we’re not compliant, regardless of how much money, time and effort we put in. We should just hire an ‘easy grader’ QSA and get compliant at minimal cost as fast as possible.”

If a retailer will invariably be declared non-compliant after a breach, what’s the point of doing the assessment right? Turns out, there are quite a few points.

Read more...

Gonzalez: The Al Capone Of Cyber Thieves?

August 19th, 2009

Albert Gonzalez, the Miami resident who was indicted last summer with stealing credit card data from TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW can now add Heartland, Hannaford and 7-Eleven to the lengthy list of retailers that the federal government says he penetrated. In case you feel left out, there are two to three additional major retail chains that the feds have accused him of attacking, although those chains have yet to disclose that they were breached.

But the indictment revealed several key contradictions with 7-Eleven and Heartland and one major retailer’s security executive found the government’s specifics to be a convincing indictment against PCI.

Read more...

MasterCard Vs. Visa: Dueling Compliance Philosophies

August 18th, 2009

People don’t seem to “get” MasterCard. For most of the last 4 years, MasterCard has been criticized for their apparent willingness to let Visa play the “bad guy” who issues fines to acquiring banks (and, through them, to merchants), who extends the PCI standards to application vendors (through PABP, now PA-DSS) and who generally takes the heat for PCI.

Now MasterCard is taking what can only be called a “get tough” policy, issuing larger fines and, most significantly, forcing both Level 1 and Level 2 merchants to use assessors rather than take on the task of self-assessment. But still, opines PCI Columnist David Taylor, merchants, banks, processors and service providers aren’t happy with MasterCard. They just can’t seem to get a break. After numerous conversations with companies on the receiving end of MasterCard’s “get tough” efforts, Taylor thinks it’s all a difference of philosophy.

Read more...

Survey: Level 4s Recognition Of PCI High, Understanding Of It Almost Nil

August 13th, 2009

When the National Retail Federation released a report on Monday (Aug. 10) that said smaller retailers—Level 4s—now said they were “familiar” with PCI, it was hailed as a major step forward. That’s setting the bar mighty low, even for the smallest of retailers.

But the more important question raised in the report is whether those merchants have an unrealistic sense of how vulnerable they are to data breaches. The problem is that the report didn’t sufficiently track who said what, making it impossible to determine whether any one merchant’s appraisal was legitimate or not.

Read more...

PCI Talk is Cheap: Even Small Merchants Can Afford It

August 13th, 2009

When the National Retail Federation published a report this week about a survey of Level 4 merchants and PCI concerns, it presented an optimistic—but potentially misleading—picture, points out PCI Columnist David Taylor, who had been actively involved in the report’s research. “One of the problems with multiple choice surveys is that it’s hard to present realistic tradeoffs to the respondents. You rarely see a question: ‘Which is more important? Spending $500 on a new network firewall or spending $500 to fix the delivery van?’ But that’s the real issue.”

That’s because data security may be a high priority in the abstract, but compared to “keeping the business running” types of concerns, it typically drops off the bottom of the list of things to spend money on. Why? Because small businesses do not believe they are going to have a data breach.

Read more...

MasterCard Becomes The First Card Brand To Publish PCI Fines

August 6th, 2009

MasterCard has become the first card brand to publish its PCI fines and related requirements, a move that could be the latest signal that MasterCard wants to step out of the PCI shadow of its larger rival, Visa. The dollars themselves do not reflect a radical change, although they do include some healthy increases.

“The noncompliance assessment structure now contains escalating assessments per violation within a calendar year,” said the document sent to members earlier this summer. “Maximum assessments for initial noncompliance for Level 2 and Level 3 merchants have increased to $25,000 and $10,000, respectively. Furthermore, the $500,000 annual aggregate maximum for acquirer noncompliance assessments related to program noncompliance has been discontinued.”

Read more...

Mobile Payments May Make PCI Obsolete

August 6th, 2009

As more people start paying for goods and services using their phone, rather than a credit card, they are venturing into that ethereal netherworld that is “beyond PCI” – in this case, literally, as their daring actions challenge the Payment Card Industry to drop “card” from their name.

But there’s more to the challenge than semantics, argues PCI Columnist David Taylor. A lot more.

Read more...

Securing Mobile Payments – It’s Still Early

July 29th, 2009

Mobile payments are exciting, no question about it, writes PCI Columnist David Taylor. The very idea of allowing consumers to buy stuff anywhere, at any time, with the touch of a button, gets retail, banking and communications executives to the point where you almost have to hose them down. So, what better way to ruin the party than to bring up security and compliance issues

Actually, the need for this emerging payment “channel” and the specific payment platforms, software and services to be PCI compliant should be obvious, Taylor said. After all, the PCI standards have been around for about 5 years, so one would assume that PCI compliance would be “built in” to mobile payment products and services.

Read more...

Is MasterCard Ready To Sing “You’re So Fined”?

July 29th, 2009

An intriguing blog discussion over at the Verisign security site, with the suggestion made that MasterCard has rapidly started upping its fines for PCI compliance issues. As the post asks, “Who poked MasterCard hard enough to wake them from hibernation?”

“MasterCard traditionally fined post-breach and, in some cases, we learned that MasterCard would fine merchants small, but consistent amounts to get the attention of accountants and finance gurus inside the company,” the post said, adding that times have now changed. ” So Level 1 merchants are being fined, at most, $25K more from MasterCard than from Visa, and Level 2 merchants are being fined a whopping $315K more from MasterCard. If your company is actually made up of multiple Level 2 retailers, this potentially means that you could owe double, triple, or more. MasterCard rolled out another change to acquirers as well and will require newly boarded Level 1 & 2 merchants to provide a compliant ROC from a QSA before they are allowed into the network. So those Level 2 merchants that have been changing processors every year, it finally caught up to ya.”


Network Solutions Data Breach Hits 574,000 Consumers

July 27th, 2009

An E-Commerce software company that, as part of its service for small retailers accepted payment card data and then sent it to various processors, has found itself on the wrong end of a breached company news release, confirming that payment data from some 574,000 customers—processed through 4,343 of its small retail clients—had been accessed. The stolen data included transaction specifics, card account numbers, names and consumer addresses. The vendor—Network Solutions—had been certified PCI compliant (you just knew that was coming, no?)

The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.

Read more...

Tesco Embraces Open API Strategy For Mobile, 3D

July 23rd, 2009

Tesco, Europe’s second-largest retailer, is counting on an army of outside programmers to create applications that will enable easy shopping on its Web site via mobile devices and other interfaces, following a similar move by Best Buy to release its APIs to the developer community. An official with the $85 billion Tesco, the world’s third-largest retailer behind Wal-Mart and France’s Carrefour, detailed the move this week in some Web and blob entries.

“Our customers tell us that to differentiate ourselves we must be proactive, we must inspire them and we must make grocery shopping easier and faster,” wrote Nick Lansley, Tesco’s head of research and development. “Perhaps this new immersive experience needs to be a great mobile phone application or perhaps a 3D virtual store or shopping through the TV set-top box or a third party recipe site where ingredients can be added straight to your basket.”

Read more...

Clarifying, Somewhat, The PCI Wireless Security Standards

July 22nd, 2009

The new PCI wireless guidelines are helpful, but it could have—should have—gone a few steps farther, opines PCI Columnist David Taylor. For example, one of the technical controls that was introduced with PCI DSS 1.2 is the wireless IDS/IPS. It’s listed as an option, with the other option being to manually carry a laptop around corporate and stores running wireless networks on a quarterly (or more frequent) basis and see whether any networks appear that the security person (if any) does not recognize.

Although it’s certainly understandable that, for SMEs, the cost of a wireless IDS/IPS can be prohibitive, this is the sort of technology that should be mandatory for larger (i.e., Level 1 and 2) companies. That is not only because of the time and effort that it saves, but also because it can be extremely difficult to spot “rogue” or malicious networks in dense urban areas, shopping malls and large multi-company facilities.

Read more...

“What’s an Acquirer?” And Other Noteworthy SME Questions

July 15th, 2009

Small business owners may be too ignorant to ever be PCI compliant. PCI Columnist David Taylor recently participated in a webinar, a live seminar and a survey all aimed at small business, and all part of separate efforts aimed at building awareness about the importance of PCI compliance to small to medium size enterprises (SMEs). In each case, the presenters were struggling, trying to figure out just how “basic” to be when explaining PCI compliance.

Pretty darn basic, actually. For example, at the live SME-oriented seminar, after listening to three different speakers discuss why PCI compliance is so important to data security and minimizing brand damage and the risk of a security breach, Taylor had two, not one, but two separate people come up to me and ask “What is PCI?” Both persons apologized for their “dumb” question, but it got Taylor thinking about other dumb questions that illustrate why we have a long way to go before we will be able to impress upon the SMEs of this world that PCI is worth paying attention to. A few examples….

Read more...


Warning: getimagesize(/home/storefro/public_html/images/user/Swipe.jpg) [function.getimagesize]: failed to open stream: No such file or directory in /home/storefro/public_html/wp-content/plugins/image-selector/image-selector.php on line 50

On The Other Hand, PCI Sometimes Actually Can Reduce Fraud

July 8th, 2009

Quite a lot has been written recently about the difficulty of quantifying ROI from PCI programs. In fairness, while those concerns are quite legitimate, it doesn’t mean that PCI compliance does not (or cannot) help reduce fraud.

It just means, writes PCI Columnist David Taylor, that the nature of the standard, current metrics, software tools, reporting and established business procedures haven’t been adapted to incorporate the types of controls and reporting that PCI enables. In short, merchants have focused most of their effort (and spending) on getting compliant, but hardly any effort has been focused on the “business by-products” of compliance, such as fraud reduction.

Read more...

Can the Government Be Sued For Plagiarizing PCI DSS?

June 24th, 2009

Nevada is making PCI the law and a group of state attorneys general plagiarized it liberally while trying to figure out what to force TJX to do. Like it or hate it, PCI Columnist David Taylor argues, the PCI DSS is the only set of data security standards out there that actually comes with an effective, ongoing validation and enforcement process.

That is not true of HIPAA or the vast majority of state or national data privacy or breach disclosure laws. Enacting PCI into law may help, but actually allocating government funds to review compliance on a regular basis does not seem likely, so these laws (like the breach disclosure laws) will be ignored by all except compliance officers, vendors, consultants and security geeks.

Read more...

States Scaring The POS Off Randomly Regulated Retailers

June 24th, 2009

When it comes to regulating retailers, what could be worse than an over-zealous Washington? How about fifty over-zealous “Washingtons”? Discussions about “Big Brother” and onerous regulation of business usually center around the federal government. Not that Uncle Sam isn’t evil at times, but these days it’s the states that are causing the big headaches for retailers, especially those that operate on a multi-state or national level.

Every couple of weeks, it seems, another state makes news for attempting to regulate, tax or otherwise control retailers and retail technology. The toughest part, for merchants, is that states usually tackle the issues with little regard to being aligned with the efforts of their colleagues in other states or for the hardships their one-of-a-kind provisions impose on retailers. The laws just keep on coming. Nevada, for example, passed a data protection law last month that goes into effect Jan. 1, 2010. In addition to forcing businesses to use encryption when data storage devices containing personal information are moved outside the company’s physical or logical control, the new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.

Read more...


Warning: getimagesize(/home/storefro/public_html/images/user/Swipe.jpg) [function.getimagesize]: failed to open stream: No such file or directory in /home/storefro/public_html/wp-content/plugins/image-selector/image-selector.php on line 50

MasterCard Gets PCI Tough With Level 2 Retailers?

June 18th, 2009

MasterCard has changed its PCI rules and is now insisting that all Level 2 merchants have on-site assessments. There’s no dispute that this is a significant move, but whether it will truly have any lasting—and meaningful—impact is unclear. That’s because of a few issues, especially the confusing rules surrounding self-assessments.

It was late in 2007 when Visa started allowing Level 1s to self-assess. Even that was not so dramatic because it could only happen when there was agreement between the retailer’s execs, the acquiring bank as well as the card brand. Heck, if a retailer can get agreement among all three of those groups, there’s no PCI rule that can’t be changed or waived. That’s akin to saying that an American consumer can do something as long as the Senate, House, White House and Supreme Court signs off.

Read more...

Why PCI Has Not Reduced Fraud

June 17th, 2009

One of the most persuasive ROI arguments used to justify spending thousands (even millions) of dollars on PCI compliance was that implementing all those PCI-mandated security controls would help reduce fraud, as well as security breaches. Merchants have been encouraged to balance their spending costs against the savings due to having fewer breaches and less fraud. In the end, PCI compliance would translate into profits for the merchant due to fewer chargebacks, less internal fraud and a lower risk of security breaches.

It’s a great theory. But as PCI Columnist David Taylor reports, things haven’t quite worked out that way.

Read more...

NRF and Other Retail Groups Gang Up On PCI, Demand More Reasonable Rules

June 11th, 2009

Representatives of six of the largest retailer organizations sent a strongly-worded letter to the PCI Council on Tuesday (June 9), asking officially for several major changes to PCI to make compliance an easier goal. The PCI council issued a response, which pretty much amounted to “we like feedback. Have a nice day.”

The letter to the council supported an end-to-end-encryption standard, seek more input from retailers at an earlier stage, give larger chains more time to implement new PCI requirements, let there be a list of the most important elements that really need to be done (rather than insisting on compliance with every one of the “more than two hundred detailed requirements of the PCI DSS”) and allowing retailers to store fewer pieces of sensitive data.

Read more...

The Forbidden Question: Are You Still Using A QSA?

June 10th, 2009

The other day at a security conference on retail and PCI security issues, I was in a group of retailers and saw one retailer ask the other a deliciously revealing question: “Are you still using a QSA?” The entire question is nice, but it’s the emphasis on the word “still” that makes it art. That’s the killer word, as it was designed to make this other retailer feel small.

About a week earlier, at a different conference hundreds of miles away, GuestView PCI Columnist David Taylor witnessed a similar exchange, with a group of about eight retailers and only one said he was using a QSA. And that guy was clearly on the defensive, half-blaming his management for forcing him to still use one.

Read more...

Rethinking Payment Security Outsourcing

June 3rd, 2009

Is it justifiable to implement a less secure technology if employees’ jobs are preserved in the process? GuestView PCI Columnist David Taylor has noticed a “protectionism” trend when it comes to the outsourcing of payment management for the purpose of reducing PCI compliance scope.

“We’re talking about companies opting to store and manage more credit card and other confidential data than necessary, and we suspect protecting jobs in technology, compliance and finance is the main reason for this,” Taylor writes. “But is this necessarily bad?”

Read more...

PCI and Fraud Analysis: To Have and Have Not

May 26th, 2009

As merchants work to reduce the scope of PCI compliance and the risk due to having credit card data in their environment, some companies are actually taking access to this data away from people who need it to do their job, including the managers who are charged with investigating fraudulent credit card transactions. Instead of PCI controls helping reduce fraud, for some companies, they are making fraud detection more difficult.

“We all know that PCI compliance creates dividing lines,” said GuestView PCI Columnist David Taylor. “Flat networks must be segmented. The number of databases that store—and applications that use—cardholder data needs to be reduced and the number of persons with full card number access needs to be reduced as well. The whole process of separating the “haves” from the “have nots” often leads to arguments and requires extensive justification on the part of those who maintain they must have the ability to see unencrypted card data in order to do their job.”

Read more...

Implications of Heartland’s Beyond PCI Strategy for Retailers

May 13th, 2009

Retailers need to carefully examine any new “beyond PCI” technical approaches being offered by their processors, as well as other service providers. They need to think about what will be required of them to take advantage of such “end-to-end” security and whether the investment in technology and labor will be transferrable, should they decide to switch to a competitor.

Beyond focusing on avoiding “Beyond PCI Lock-in,” pens GuestView PCI Columnist David Taylor, retailers also need to focus on ensuring that these new security efforts don’t break their existing applications. Some of the tokenization and end-to-end encryption approaches currently (or soon to be) on the market don’t always play nice with existing ERP, CRM and other enterprise applications.

Read more...

The Latest Chapter In Heartland’s Alice In Wonderland PCI Journey

May 4th, 2009

The back-and-forth compliance dance that is being forced upon Heartland Payment Systems took its latest journey through the PCI Looking Glass Friday (May 1), with Heartland declaring that it has now returned to Visa’s list of PCI DSS validated service providers (aka the list of providers that Visa heartily recommends today but will deny ever having heard if they’re breached tomorrow).


The journey began when Heartland was certified PCI compliant April 2008. A few months later, Heartland was severely breached and Visa began its revisionist history dance. Given a public stance that no PCI-compliant merchant or processor had ever been breached, Visa determined that Heartland therefore could not have been truly compliant in April 2008. On March 12, 2009, Visa removed Heartland from the compliant list. But just in case someone might mistake this move as Visa actually caring about security, Visa stressed to retailers that everything was OK and that they were completely safe using Heartland anyway.

Read more...

PCI’s Grading System Is Failing

April 29th, 2009

For months, retailers and Congress have been attacking retail security standards, but few realize that the problem is not in the standard itself. The problem is a grading system that causes most retailers to be out of compliance most of the time because the rules require 100 percent compliance. How often in school did you score 100 percent?

The system is oriented to forcing retailers to fail, argues GuestView PCI Columnist David Taylor, and it does this by being utterly insensitive to risk, which is surprising because the financial services industry runs on risk management. So if big finance runs on risk management, why are retail payment security rules running away from it?

Read more...

Why Most PCI Self-Assessments Are Wrong

April 23rd, 2009

The reason that so many PCI self-assessments are wrong is that they focus on the mainstream business processes of the company. They often ignore a lot of “back-channel” or “just-in-case” practices that result in card data coming into the company not protected by the various PCI and other data security measures to protect more mainstream applications, data repositories and processes.

GuestView PCI Columnist David Taylor said the problems crop up in easy-to-miss ways and he rattles off three of his favorites.

Read more...

Verizon: Retail Data Breaches Typically Discovered By Accident

April 16th, 2009

In its annual report of retail data breach statistics, the forensic analysis group at Verizon Business detail a series of stats that essentially verify what most retail IT execs already knew. This year is no exception, with evidence of breaches that are discovered by accident when they’re discovered at all, successful attacks that used remarkably little sophistication and PCI holes galore.

But there’s something about seeing these conventional wisdoms substantiated with statistics that is comforting, along the lines of “Hey! We were right. But we’re also royally screwed.” With that in mind, some of the more delicious details from this new report, which was published Wednesday (April 15).

Read more...

Data Security Slugfest: Tokenization Vs End-to-End Encryption

April 15th, 2009

In a land “Beyond PCI,” there’s trouble brewing. Issues involving everything from tokenization to end-to-end encryption are being debated and the PCI SSC is hiring a consulting firm to look into the implications of these (and other) technologies and processes.

This all raises the issue of “should retailers wait for the PCI SSC to ‘bless’ or integrate so called ‘beyond PCI’ technologies into the standards?” GuestView PCI Columnist David Taylor’s answer is a profound “no.”

Read more...

Page 1 of 41234»

Newsletter

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly newsletter, with urgent bulletins as news merits.
advertisement

Most Recent Comments

What’s The Rush For New PCI Call Center Requirements?

And I have not heard anyone mention the impact on companies who provide quality improvement services. Many merchants hire quality improvement companies to review their audio recordings to provide guidance on how to improve their sales staff’s effectiveness in customer service and sales retention. PCI Council needs to rethink this requirement until there is a widely available commercially viable solution. Read more...
Another ridiculous decision where regulators don't think critically enough about the unintended consequences of their decision. This will be a huge problem for the credit and collections industry. We have to keep all recorded calls for other reasons not related to cc information. We can't purge all of our calls and we don't have the technology to not record part of the conversation. Even if we did, I am not sure we could afford it. Read more...
This "clarification" is causing a lot of panic with large FS clients who now appear to be non-compliant after spending 7 figure sums on their compliance programs. The only alternative to call recording would now appear to be some sort of IVR/push button type interrupt to take card data away from the contact centre. The council is a position to force that sort of process and technology change and this may backfire on them and the vendors that lobbied hard for this clarification. Read more...
PCI council has made a one-sided decision; They should have done a much more in-depth research that could have provided more insight on what regards to the implications of such decision. Read more...

Will Old OS Cause PCI Violation? No, But Marketing Still Says So

This is an interesting issue, because there's more to it than what's apparent on the surface. PA-DSS requires supported and patched operating systems and other software components (e.g., databases, libraries, Java, etc.) per PA-DSS 7.1.b and 8.1, and the option for compensating controls simply isn't there. Merchants can make use of compensating controls for most PCI DSS requirements, but only when legitimate constraints exist and only in ways that meet the intent and rigor of the requirement and go above and beyond the other PCI DSS requirements. Read more...
Why would one automatically upgrade to a "new" OS -- some of the older versions of certain OS-es are more stable and more robust than the crap being peddled today. This is yet another clear example of PCI SSC being out of touch with reality. Rather than requiring a "current" OS, the requirement should be to demonstrate the OS in use is stable and robust, and is adequately hardened against threats. Read more...
There are compensating controls that encrypt the swipe at the driver level as it enter the PC, there are hardware encrypting card swipes so the cardholder data is already encrypted before it comes to the PC -- either of these, especially the second, would remove the OS entirely from a cardholder data risk profile. Read more...
In my opinion, the only thing the vendor did wrong was they didn’t know of that FAQ entry. Even if they did, it changes nothing about the need for merchants to update software that no longer receives updates. Read more...

MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline

Reciprocity between MasterCard and Visa was always been a factor in Acquirer merchant level assignments. The brief removal of reciprocity generated a great deal of interest in being able to be classified at a lower level in MasterCard's world. Nevertheless the return of the reciprocity language in the December changes did not effectively create any new Level 2 merchants, but it DID dash the hopes of a lot of them.... :-( Read more...
Let's given them credit??? For being idiotic in the first place? Not on your life! Everyone has just had to scramble and include the costs of the previously announced M/C requirement in their 2010 budgets, and start negotiating with the QSAs for the additional services. All for naught! Read more...
"A bunch of Level 3 and Level 4 merchants just became Level 2s". Is this an accurate statement? MasterCard & Visa have historically included the caveat "or is a Level X in another brand" in their level setting criteria. MasterCard appeared to back way from this in the June pronouncement, and have simply returned to the status quo. Have Acquirers have been tracking and reporting merchants at separate levels by brand? Read more...
I stick by my comment (quoted in the column) about a bunch of L3 and L4 merchants becoming L2s and requiring an onsite. To me, what made MasterCard's original requirement for an onsite assessment for L2s palatable was that they took away their reciprocity provision. That is, they seemed to focus on larger merchants with over a million MasterCard trans/year. With reciprocity in place, a lot of smaller merchants are pulled into the onsite requirement. Rather than causing confusion, I think reciprocity will lead to additional work for processors and acquirers. Read more...

Retailers Sue POS Vendor, Questions Raised Where PCI Duties Stop

I would add a couple more questions: "did the breach involve the use of the default passwords?" (The story doesn't say.) And "were the default passwords used by Computer World to remotely administer the store systems?" "where is the PCI auditor in all this?" Did the restaurant group think they didn't need an audit because Radiant was (mis)representing Aloha as PCI compliant? How is a retailer or even a PCI auditor to know otherwise? A PCI auditor is not necessarily a qualified computer forensic investigator capable of finding the card data on the hard drives. They can only base a decision on information given to them by others. Read more...
There are so many holes in the process it will be difficult to pin blame on just one constituent. It is ridiculous that the technology exists to better secure these transactions (PIN, EMV, etc) yet banks won't use them. Only the banks or government can force this change, and retailers will suffer until then. Read more...
A major issue in this case will be if the restaurants had any support agreements in place with Computer World and if so what those agreements say. In my experience many single unit/small operators choose to skip the support agreements in favor of a "pay as you go" arrangement. In this scenario I can't imagine how the POS VAR can be held responsible for a system they don't own nor exclusively manage. Read more...
There is a big difference in having the POS installation guide say "make sure you set this password because the security of your CHD depends on this" vs. a POS application not storing the CHD in the first place. Traditionally only the merchant was liable for breaches and PCI related fees (fines). Maybe dragging some of the vendors into the liability mud fight will open the eyes of some of these vendors. Read more...

Should Credit Card Transactions Be Free? There May Be A Way

Here in the Netherlands, where the population is notoriously penny-pinching, credit card acceptance is amazingly low. It's both a result of the consumer not wanting to pay interest on everyday purchases as well as merchants not giving up a slice of the action. It is both legal and common to pass the processing fee onto the customer as a surcharge. Now things are moving to leave the credit cards behind: mobile phone payments are becoming more and more common here, and the transaction fees are minimal. Parking and entertainment (movie/concert tickets, nightclubs) have been amongst the first, and it's rapidly gaining momentum because the market has been hungry for the convenience at a price it is willing to pay. Read more...
"Free" is an illusion. Don't charge one person but charge double to someone else. I am very skeptical on anyone who says that advertising will create valid cashflow. Just look at the advertising struggles in a TiVo world. And if you sell your customers data, just be warned that the one group that might have issue with that are you customers (which to me is very important to cashflow. Read more...
Another factor not mentioned here is the impending costs that the processors and issuers are going to incur when someone decides on an end-to-end encryption method, and it then becomes government mandated. I can guarantee that this is a when question and not an if question. The back-end networks are pretty antiquated right now, and it's going to cost billions to replace everything. The cost of tech may be going down, but the cost of replacing millions of servers and hardware, and creating new, proprietary, software is still really expensive. Read more...
Accepting credit cards are not "risk-free" for merchants, contrary to Jim's comments above. Chargebacks are an expense - both in terms of actual transaction reversals and costs associated with managing the process. Chargeback rules and expenses can be everything from a thorny issue to an onerous expense for some merchants, especially for convenience stores that allow customers to pay for gasoline at the pump, or other retailers that allow in-store self-checkout options. Read more...
I've wondered for years why the price of transactions has been so high. Phone companies long ago started offering unlimited calling for flat rates because they understood that in many cases it cost more to report on the transactions (calls) than it did to fulfill them. Read more...
If a home-owner defaults on the mortgage, who is taking the risk? The bank making the loan to the consumer or the person selling the house? It is obviously the bank that takes this risk and is rewarded for that risk through interest rate charges. In my mind, we have mixed together two distinct and unrelated transactions. Read more...
The one big factor not mentioned in this article is who will take over the risk ? Taking credit cards is risk free to merchants and the issuing Banks take the risk if a customer defaults on the payments ! If you had a "interchange free" payment system will the merchants assume the risk ? Also, if there isn't enough profit for the issuing banks they will stop issuing credit cards which will in turn kill our economy. Read more...

The Dangerous Out-Of-Scope PCI Charade

If tokens are ever deemed in-scope, then where does the line stop? I ask this because it would mean that all timestamps, sequential number, random numbers or any other piece of information that may or may not be used to generate a token is within scope -- all data a POS uses and stores, not just payment data. Read more...
Having the ability to do both Tokenization and End to End Encryption (not mere point to point) can have tremendous scope and risk reduction benefits and agility to adapt to change in this fast moving compliance landscape. Being able to have both on tap from a single platform is a solid approach to avoiding the pitfalls. Read more...
But the consumer walks into a particular retail chain, gives their payment card to someone wearing that chain's uniform and the card is swiped. If, six months later, there's a breach and that card was misused, it's the retailer who will in the spotlight. They're the deep pocket and, therefore, the target. If the consumer is angry and wants to cut off business, it will hit the retailer. Therefore, if the retailer is going to end up being blamed no matter what, they have to stay involved. Read more...
True, that someone may be storing a token-to-PAN cross reference. But that would be the bank, not the retailer. If the bank is not sure they can keep their data secure, then there are bigger problems to be addressed than bringing tokens into scope. Read more...
Good general point, Steve, but for the record, not all tokenization is done the same way. Many tokens are associated with lookup lists that allow for them to re-matched to the card data if it's needed, such as for a chargeback. A token doesn't have to be decryptable (is that a word?) for there to be a way to access the original data. Read more...
The out-of-scope argument is very valid but in reference to tokens, the premise of temporarily out-of-scope or abruptly deemed in-scope is flawed. Conway was quoted “anything that could be made unreadable can, in various ways, be made readable again,” this statement is true when talking about encryption technologies (all encryption technologies) but not so with true tokens. True tokens are in no way related to the original data other than as a reference key. Read more...