While new versions of the PCI DSS are introduced, these are done after a feedback from the industry regarding methods to improve the payment security, global applicability as well as cost and benefit of any changes in infrastructure. Changes in PCI Standards framework reflect the growing maturity of the payment security industry and its strength in protecting card holder data. Even as the version 3 of PCI DSS introduces changes than its previous versions, the core 12 security areas remain the same. Nevertheless, in a business environment that provides cyber attackers number of loopholes, enterprises are challenged to ensure protection of card holder data.

Since the PCI DSS applies to all stakeholders involved in payment card processing, PCI-DSS compliance management is a sensitive affair. Across industries, inconsistent encryption and malicious hackers accessing the credit card data resulted in huge financial losses and brand-image exposure! Though enterprises were compliant to Sarbanes-Oxley and HIPAA Act, their controls were not adequate to meet the PCI DSS requirements. Enterprises therefore took advantage of automated processes for monitoring of security vulnerabilities, mapping security controls and initiating re-mediation actions to help business enterprises meet compliance requirements.

However, even as PCI DSS 3.0 moves towards its implementation stages, not all merchants are completely aware of the three critical changes and their need in the payment card processing system. The version 3 of the security standards includes changes from the previous version which are nothing but simple clarifications on the scope and segmentation, responsibilities of merchants and service providers. While this will greatly impact the merchants, this will also prevent tampering and skimming at any point of sale. Even as enterprises conduct vulnerability scans on handful of credit cards and debit cards, as per the version 3 of PCI DSS, compliance is required across all systems that handle card data, unrelated systems connected to the same network as well as authentication servers, firewalls and web redirection servers.

Further, even as PCI encourages network segmentation through the use of firewalls, the new version 3 expects enterprises to make use of network penetration tests that will help validate the segmentation methods as operational and effective by July 2015. After the aftermath of target point-of-sale breach, the PCI DSS version 3 requires both merchants and service providers to formally document the responsibility of PCI requirements. Moreover with rising cases of tampering with physical-point-of-sales devices, the new PCI requirement (9.9) calls for an inventory of devices and regular inspections to detect tampering. Hence, effective the January 2015 deadline, merchants need to understand the scope and segmentation required for PCI DSS compliance and work with service providers to define responsibilities and potentially alter contracts, and implement controls for preventing tampering and skimming of the point-of-sale devices. The January 2015 deadline for assessing version 3.0 is around the corner although some of these requirements do not go into effect until July 2015. The PCI DSS requirements will be validated during the first SAQ or QSA assessment in 2015. It is best to start addressing the necessary changes immediately.

In summary, in PCI DSS v3.0 three critical changes include the scope definition and segmentation, service providers’ responsibilities and the need to alter contracts, and controls to be implemented for preventing tampering and skimming at the point-of-sale devices.

Aegify SecureGRC now has in suite of ready-to-use compliance frameworks, the latest PCI DSS V 3.0 controls for checking the compliance status of merchants quickly and easily taking away the complexities of the controls mandated for compliance for the merchants and their service providers. Get to quickly know how compliant you are to the PCI DSS v3.0 by running the Aegify SecureGRC from the cloud.

The post Understand the Critical Changes to PCI DSS 3.0 that you as a Merchant must know appeared first on Aegify.

Putting at least 50,000 card holders at risk, this breach is the latest in a wave of security attacks. However, the extent of the breach could not be determined because it was not clear if the cardholders had seen any fraudulent transactions on their cards. The company said that it had identified and self-reported unauthorized access into a portion of its processing system, and added that the card data may have been accessed in early March. While the company did not disclose the details of the type of data that had been accessed, industry parties have been notified to help minimize cardholder impact.

Global Payments is part of a group of companies known as ‘third-party processors’ serving as middle-men between merchants and banks. This breach incident brings to light, the complex network of the payment system in the US where little-known companies play a major role in processing several billions of transactions every day. Such third-party processing companies have been hacking targets in the past too.

Although word of this breach incident did not spread immediately, after MasterCard and Visa started alerting card-issuing banks on Friday that customer data may be at risk, news began to circulate. However, both MasterCard and Visa stress that their networks were not compromised in the breach. According to Visa, the incident is being investigated by the US Secret Service and an unidentified forensic company.

Banks in general are reluctant to reissue cards to customers as the administrative cost involved in the process often exceeds the actual cost resulting from the fraud. Although it was not immediately clear as to how many cards may have to be reissued to customers, Discover Financial Services said that reissuing cards to customers is the appropriate move. A spokesperson for Bank of America also said that if they believe their information has been compromised at a third-party location, the company will notify customers and reissue their cards.

These major breach incidents and hack attacks continue to reinforce the need for a comprehensive security platform like SecureGRC. A solution like SecureGRC can help identify vulnerabilities in the system and fix them in a timely manner. It can provide complete security for data and effectively stop unauthorized access, thus averting security attacks and preventing breaches.

The post Major ‘Hack Attack’ Reported- Card-Holders at Risk appeared first on Aegify.

Coming to effect from July 1st 2010, this new standard would mean that SMBs now have a mandate to build secure networks aimed at protecting cardholder information. It prohibits third-party payment software from storing authentication details like the cardholder PIN and Magnetic Stripe. Read more on this in Visa Puts Credit Security on You.

While that is for SMBs, larger enterprises are required to comply with the full version of PCI DSS standard by 30th September. The new standard would now control how cardholder data is stored, processed or transmitted.

With these new requirements, GRC solutions have gained more significance. By using SecureGRC^TM, a GRC platform that integrates with the business process, companies can now successfully deal with compliance and risk management.

The post New Security Standard for SMBs to Protect Cardholder Information appeared first on Aegify.