The hacked payment processor Heartland Payment Systems has announced creation of an internal department which will deal exclusively with the development of end-to-end encryption to protect merchant and consumer data used in financial transactions.

According to Robert O. Carr, CEO of Heartland Payment Systems PCI standard is a good and effective however fraudsters became more sophisticated in questions of data encryption. So, creation of the department which will work at development and deployment of end-to-end encryption will provide the company the ability to implement increasing levels of security protection as they become needed.

“Heartland has been working on the development of end-to-end encryption, but in light of our recent data breach and the impact cyber fraud has had on the public and processors nationwide, we are ramping up our efforts,” Carr continued. “To do this, we are forming a dedicated internal department and have named Steven M. Elefant, a well-known expert in point-of-sale payments, executive director.”

Elefant is a member of the US Secret Service Electronic Crimes Task Force and Infragard, a public/private partnership of the Federal Bureau of Investigation. He is the co-founder and former chief executive officer of ICVerify Inc. ICVerify became the leader in payment processing integration of PC-based point-of-sale software. In 1998, Elefant merged ICVerify with CyberCash Inc. to form an Internet service provider for electronic commerce.

Source: ecommerce-journal.com

Monext France (formerly Experian), a pioneer of e-commerce transactions, has entrusted Verizon Business Security Solutions to help the company’s online bank-payment processing system meet industry standards for protecting confidential data.

Verizon Business provides professional services support and expertise to obtain Payment Card Industry Data Security Standard (PCI DSS) certification for Monext’s processing system, Payline.

Monext is a major provider of secure electronic transaction solutions for French banking and financial organizations and employs more than 400 people. Payline, Monext’s secure online payment solution, was one of the first of its kind on the market, and now handles more than 5 million transactions each month for a variety of high-profile French and international banks, e-commerce organizations and retailers.

The PCI DSS initiative was established in 2004 to combat credit card misuse and fraud, and compliance is now obligatory for all global companies that collect, process or store credit card data. E-commerce companies, traders or service providers undergo a quarterly audit of their IT Infrastructure by an external auditor; noncompliance results in high fines and greater business-transaction fees.
For Monext, PCI DSS-compliant services and architectures are absolutely business-critical in order to be able to deliver proactive protection of valuable confidential data and support the company’s corporate reputation. As a result, Monext needed a supplier with which it could build a long-term relationship — it does not view security as a one-hit approach, but rather as a key element of its ongoing business strategy.
Ludovic Denis, president of Monext, said: “Our security requirements are constantly evolving, so we needed a supplier who was able to offer us evolving and fully up-to-date expertise of both general security issues and the specifics of the certification process. The Verizon Business Security Solutions team has demonstrated a keen understanding of our local needs in the context of global issues, and has the local support capabilities and the strategic vision we need to help support our future business goals. By working with them, we have not only achieved our compliance goal, but also improved the overall efficiency of our daily business activities.”
Toufic Daaboul, PCI DSS development manager for Verizon Business, said: “Companies like Monext need a security services provider that can provide a holistic approach to PCI DSS compliance, combining consulting and technical support with implementation and service capabilities. Verizon Business’ strong expertise in the security market, combined with the company’s global presence and demonstrable track record, gave Monext the peace of mind it required in choosing a security partner.”

Source: PR Newswire

In a move to make cybersecurity logs more efficient LogRhythm joined the Payment Card Industry Security Council (PCI). IT departments typically use logs to monitor security breaches made either by malicious employees or outside hackers. While it can indicate unsuccessful attacks, the data is particularly valuable for identifying actual intrusions.

This week the IRS released a report saying that they weren’t properly collecting cybersecurity logs for the past 20 months and that means taxpayer data could have (or may have) been hacked over the Internet. While the PCI group is focused on payment security the addition of LogRhythm will extend the focus toward making logs across all organizations more secure.

“A significant percentage of LogRhythm’s customers must comply with the Payment Card Industry (PCI) Data Security Standard (DSS), so we have acquired deep domain expertise in helping organizations meet its requirements,” said Andy Grolnick, president and CEO of LogRhythm.

Source: ecommerce-journal.com

PayMate, leading mobile commerce provider, reported this week the latest developments in the company life. First is that India based division introduced its services in Nepal through its local representative PayBill to allow Nepal customers to make payments using their mobile devices. The second event took place at an American division where the company obtained a PCI DSS compliance certification.

Soon Nepal mobile users will be offered to pay for mobile recharge, utility bills, movie & flight tickets, online purchase, retail shopping, person to person (P2P) money transfer, EMI payments and many more with a simple SMS. PayMate’s SMS based payment service will allow customers in Nepal to use their mobile phones as their credit or debit card to make easy and secure payments online, over the phone, across the counter or from about anywhere. Earlier PayBill has partnered with Everest Bank Ltd, Nepal’s largest private bank to offer remote mobile recharge to over 2.2 million subscribers of Nepal Telecom (NT), Nepal’s largest telecom company.

Besides, USA-based division of PayMate company reported that it gained PCI DSS 1.1 compliance being one of the first companies in the mobile payments processing market to achieve this kind of certification. As with any electronic payment service (of which mobile is another channel) the PCI DSS standard represents the best practices defined by VISA, Amex, MasterCard covering requirements for Security Management, policies, procedures, network architecture, software design and other critical protective measure.

Source: ecommerce-journal.com

Visa granted a PCI Compliance certification to INetU Managed Hosting (www.inetu.net). The audit of INetU’s network and hosting service was conducted and completed by Trustwave, a Qualified Security Assessor specializing in the Payment Card Industry Data Security Standard (PCI), which also delivered a Report On Compliance (ROC) confirming INetU’s status as a PCI compliant service provider. Visa accepted INetU’s ROC and certified INetU as a PCI compliant hosting service provider.

“Our PCI compliance certification obviously provides a direct benefit to all of our clients hosting sensitive credit card data, but all of our clients gain the additional security benefits that come from the rigorous requirements in the PCI specification,” said Dev Chanchani, President of INetU. “Along with our recent SAS 70 Type II Certification, getting confirmation of our PCI compliance is another sign of our commitment to helping our companies achieve greater success on the Internet.”

The remarkable aspect of INetU’s PCI compliance is that the assessment covered the company’s managed hosting practices while majority of hosting companies can achieve PCI compliance only on a collocation service level.

Source: ecommerce-journal.com

Solidcore(R) Systems, Inc. announced that Verrus Mobile Technologies, Inc. has selected the Solidcore S3 Control PCI Pro(TM) edition with the aim of meeting file integrity monitoring and audit trail requirements of the Payment Card Industry Data Security Standard (PCI DSS) quickly and easily.

Verrus identified Solidcore PCI Pro as the ideal tool due to the following benefits the edition provides: Network Configuration Management that reduces the manual effort required to meet the requirements of PCI DSS section 1; Comprehensive Audit Trails in order to provide Verrus with comprehensive data necessary to meet the requirements of PCI DSS section 10; Continuous File Integrity Monitoring that enables Verrus administrators to quickly identify where PCI compliance policies are being challenged in order to easily and more-effectively meet the file integrity monitoring requirements of PCI DSS sections 10 and 11.

Solidcore(R) Systems, Inc. is a leader in protecting critical IT infrastructure from devices to the data center.

Verrus Mobile Technologies, Inc. is a leading provider of mobile phone payment services.

Source: ecommerce-journal.com

MagTek®, Inc. suggested users of PayPal Virtual Terminal to use MagneSafeTM Mini designed by MagTek in order to save time and reduce errors.

The card reader provides superior card data privacy and authentication for credit and debit card transactions. The MagneSafe Mini card reader plugs directly into a computer’s USB drive and can be used anywhere provided there is a computer, Internet access, and a customer’s debit or credit card. One swipe enables the MagneSafe Mini reader to capture the customer’s name, card number, expiration date and card type, and to post the information to the merchant’s PayPal Virtual Terminal order form.

Merchant benefits of the card reader can be compiled in following: increased data accuracy provided by swiping credit and debit card, instead of typing it; assured security; Compliance to PCI DSS requirements for secure cardholder data encryption.

The MagneSafe Mini can already be ordered from Dell at prices starting from $79.99 USD.

MagTek®, Inc. is a global leader in secure electronic payment technology.

Source: ecommerce-journal.com

PCI Security Standards Council and Visa report that more merchants are validating their compliance to the PCI DSS. The set of rules provides merchants, banks and third-party processors with guidelines for the safe handling of customers’ credit card information. PCI Council thinks that the failure to comply with the standards may lead to data breach and as a result to losses.

Latest figures provided by Visa reveal that 65% of the largest merchants validated their compliance to the PCI DSS as compared with 36% in December 2006. Midsize merchants are also among those who try to get PCI DSS certification with 43% now compliant with the standard against just 15% at the end of 2006. Besides, as noted by Bob Russo, general manager with the PCI Security Standards Council, another 33% are on their way to get compliance.

As for small merchants the situation is much worse here as they often lack the resources to properly comply with a program such as PCI DSS. Yet Russo thinks that this is first of all the issue of education. He says that the PCI Council is always trying to render assistance to these merchants with card brands and acquirers sending literature about PCI in their statements to small merchants. But finally small merchants fail to study this information.

Russo notes that the compliance is more indispensable to small merchants as long as in case they suffer data breach there will be fines, remediation costs and then a full-blown audit. And the last is lost customers.

Source: ecommerce-journal.com

Do you use a credit or debit card online? I guess the answer is yes. There are many internet stores, hotels, car rentals, air lines and other companies that offer to make a purchase or pay for services online. It is simple and convenient! But how do they protect your sensitive financial data? One of the measures is PCI DSS, or the Payment Card Industry Data Security Standard. It was created to help organizations that process card payments prevent hacking, fraudulent charges and other breaches of security. However, some people say that PCI DSS does not ensure that card information remains safe.

The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of comprehensive technical and operational requirements for making online transactions as safe as possible. The main principles of PCI standard are to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks and maintain an information security policy.

According to these principles, organizations that process card payments need to install and maintain a firewall configuration, use and regularly update anti-virus software, encrypt transmission of cardholder data across public networks, restrict physical access to cardholder data, regularly test security systems and processes, etc.

The security standards are managed by PCI SSC (Security Standard Council). It regularly updates the PCI DSS by including new or modified requirements necessary to prevent breaches of security.

Before PCI DSS was created, card brands offered five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. They certified that merchants that accept their plastics meet minimum levels of security to protect consumer cardholder data.

It was not easy for a merchant to comply with the rules of each brand because the requirements for security management, procedures, policies and software design could vary. So in 2004 American Express, Discover Financial Services, JCB, MasterCard and Visa aligned their individual programs and released a worldwide standard – the PCI DSS.

The PCI DSS applies to all merchants that store, process or transmit cardholder data. Plus, it also includes guidance for software developers and manufacturers of devices used for card transactions. So if a company is dealing with storing consumer financial data, it must be PCI DSS compliant. Non-compliant companies can lose the ability to process card payments – that is a death sentence for commerce.

The merchants must validate their compliance every year. The PCI assessments can be performed by Qualified Security Assessors (QSA) – companies that have been certified by the PCI SSC. A directory of QSAs is published on the Security Standard Council website.
Small companies may use a Self-Assessment Questionnaire (SAQ). Depending on the requirements of the card brands in the merchant’s state, the questionnaire may need to be validated by a QSA.

As you see, PCI DSS has the best intentions to protect consumer data. However, some IT security professionals believe that it provides just a basic security layer. PCI DSS barely addresses the newest and upcoming threats, so it might not be enough to prevent the loss of financial data.

Some companies can be PCI DSS compliant and have security breaches! For example, in 2008 Heartland Payment Processing Systems, one of the largest payment service providers, reported a loss of credit card data of over 100,000 clients. Security breaches also occurred with Okemo Mountain Resort and the Hannaford Brothers – PCI compliant companies.
That’s why you need to be careful. Of course, PCI DSS is an excellent tool to make all merchants pay more attention to IT security. Without it, our sensitive financial data would be much more vulnerable. However, it is just the minimum standard, so it makes sense to take additional measures to prevent fraud.

Source: ecommerce-journal.com