The latest news about Heartland Payment Systems’ 2008 security breach revealed some alarming, yet important, issues about the reporting of breaches and responsibility of the players involved in data security.

Heartland’s 2008 data breach is supposedly the largest breach of that year, but not the only one hit by the same hacker. According to Bob Carr, CEO of Heartland, most of the companies affected did not come forward. However, news articles are blasting Heartland for not reporting the 2008 breach earlier so customers and merchants could take action and precautions. While the Department of Justice has been successful in capturing individuals behind the recent data breaches, this should be a strong sign to any company involved with sensitive data that they should be stepping up efforts in the prevention of data loss.

Continue reading "Data Security: Who is Responsible?"

As a merchant, you accept Visa, MasterCard, American Express and Discover.  You have learned that each card brand has its own set of data security guidelines. So, which one do you follow? Good news! The card industry has made that decision for you.

A Little History

The PCI Security Standards Council (PCI SSC) was formed in December, 2004 by the major card brands (Visa, MasterCard, American Express, Discover and JCB) to educate and enhance the security standards in the credit card industry.  Prior to 2004, each card company had developed their own set of data security standards programs:

Continue reading "CISP, SDP, DISC…What Security Standard Do You Follow?"

The Payment Card Industry Security Standards Council is always creating new and effective versions of PCI DSS. The most recent of such compliance standards is version 1.2 which has 12 requirements for enhancing payment account security. These requirements are designed to address a broad range of data security, from software design to policies and procedures. Version 1.2 is not intended to change the existing DSS, but only to provide added security in a time when many feel it is most needed.

There are two notable changes, one requires that off-site data storage locations be visited and validated as compliant with PCI DSS. The other imposes a sunset date on wired equivalency privacy (WEP) use. For those of us who don’t speak techie, WEP is a software application intended to protect data as it travels across wireless networks. In previous posts, I have talked about WEP having to be upgraded by June 30^th, 2010 to Wi-Fi protected access (WPA).

Here are the 12 core requirements as outlined by the card associations:

Continue reading "The Payment Card Industry Security Standard Dozen"

The Federal Trade Commission announced that “creditors” will not have to worry about fines associated with non compliance with Red Flag Rules until May 1^st 2009. A creditor is defined as any entity that extends, renews, or continues credit and any entity that regularly arranges for the extension, renewal, or continuation of credit. For example, mortgage brokers, utility companies and automobile dealers are classified as creditors.

This decision to extend is said to be largely due to complaints from creditors that they were unaware of the existence of the new regulation and some say they only found out after the deadline had passed. This deadline according to the official press release only applies to organizations that are not under the jurisdiction of any of the other regulatory agencies other than the Federal Trade Commission. FACTA requires financial institutions and creditors to implement a written identity theft prevention program that should help detect identity theft, hopefully before any damage is done. If identity theft is not detected, the regulation calls for the financial institution or the creditor to reduce the risk to the consumer and the organization.

Continue reading "Red Flag Compliance Deadline Extended"

Business owners already have a lot to worry about regarding changing tax laws and employee wage laws, now they have to add Payment Card Industry Data Security Standards Compliance to the mix. PCI Compliance has evolved with each passing year. Business owners are already up against rules, restrictions, and deadlines that are added every year. Some feel that compliance is expensive or too hard to achieve, but achieving PCI Compliance does not have to be difficult.

PCI Compliance is a key element in protecting card holder data. So how can your business stay compliant without breaking the bank?

Continue reading "How Do Business Owners Keep Up With New Compliance Rules Each Year?"

Secure Electronic Transactions (SET) is an open protocol which has the potential to play a large role and dominate the market in providing secure electronic transactions. Jointly, Visa and MasterCard and vendors such as IBM have worked to create SET as an open standard for protecting the privacy, and ensuring the authenticity, of electronic transactions. SET is critical to the success of electronic commerce over the Internet; without having a system for authenticating consumers and merchants, it leaves all parties involved vulnerable. Security measures need to come from the top down, and bring uniformity to each industry. SET may sound like a necessity, but has not been popular in the United States.

Consumers in the United States spend billions of dollars over the internet each year, and it is reported by MasterCard that the majority of the purchases are made without using SET. Most merchants who sell over the internet are using Secure Sockets Layer (SSL) for their internet stores. Typically this would be enough, but fraud is on the rise.  The economy is contributing to increased instances of internet theft and identity theft.

Continue reading "SET Technology is Back on Visa and MasterCard’s Plate"

Merchant Services Providers and merchants have been hearing about PCI Compliance for the past few years. Sometimes there is a lack of understanding about what is needed to become PCI compliant. We come across information online or by word of mouth, and it may not always be correct. Some say it’s better to be safe than sorry, so make sure to do your research.

Some online merchants think if they select a PCI Compliant gateway and shopping cart that they are automatically PCI Compliant. It is important that online merchants remember that physical location security and written policy is part of the process as well. Merchants are required to submit a SAQ (Self Assessment Questionnaire) to their acquirer once a year, but just submitting the SAQ may not be enough. It is also important that employees undergo training on security policies. Businesses must have ongoing assessment and remedies.

Merchants may think that PCI Compliance is for large businesses and may be too expensive for the average small retailer; however fines from noncompliance are much greater. Businesses will not only lose out on audit fees but also will have to consider a loss of reputation. Even if you are a smaller business, you are still required to be PCI Compliant regardless of the volume your business does.

Continue reading "What Does PCI Really Mean to the Average Business Owner?"

WEP (Wired Equivalent Privacy) is an algorithm used to secure wireless networks. Many major retailers, such as TJ Maxx, use WEP and have recently been hacked into. Many weaknesses have been identified when using a WEP connection and it has been known to be easily hacked.

In the PCI DSS 1.2 Summary of Changes, the PCI Security Standards Council announced several adjustments to the wireless network security requirements:

• Wireless must be implemented using strong encryption for authentication and transmission. The Council cites IEEE 802.11i as an appropriate example.
• Merchants are no longer permitted to deploy any new Wired Equivalent Privacy (WEP) networks as of March 31^st, 2009.
• Merchants using WEP networks must transition to Wi-Fi Protected Access (WPA) security no later than June 30, 2010.

Converting to WPA should be a fairly easy process. Most technical websites show that all wireless equipment manufactured since late 2003 comes standard with WPA (Wireless Application Protocol), which is an open standard for application layer network communications in a wireless environment. It is mainly used to enable mobile phones.

Continue reading "Is Your Company’s Wi-Fi Network Secure?"

Although Red Flag Rules were created to protect against identity theft, are some types of businesses more affected then others? In previous blogs I wrote about how merchants are not getting a fair shake when it comes to these rules, and many law suits have been filed against merchants. Different industries face government fines because they say some of the rules are difficult to follow.

For example, car dealerships fear they will not be able to comply. Since car dealers extend auto financing, they are considered creditors. Dealerships argue that it is very difficult to detect suspicious or unusual activity, and most of their staff is not trained to look for these types of things. According to Andrew Koblenz, the National Automobile Dealers Association’s general counsel, “We want to fight identity theft, and dealers have a tremendous self-interest in not selling a car to an identity thief, but the real world impact is that it would burden dealers.” Auto dealers speculate it could add as much as five hours to the loan application process.

The healthcare industry also falls into the category of creditor. If a hospital offers payment plans so patients can pay in installments, the hospital would be considered a creditor as well. Non-profit organizations and government entities that defer payment for goods or services are also considered a creditor. For the healthcare industry, the Federal Trade Commission is responsible for interpreting and enforcing the Red Flag Rules.

Continue reading "The Red Flag Deadline is Approaching"

In previous posts I’ve talked about identity theft and ways to prevent fraud, but are our banks doing enough to protect its customers? Recently thousands of consumers’ personal information was stolen from Wells Fargo. MicroBilt which is the self proclaimed “single source industry leader in risk management information” notified Wells Fargo of the breach caused by a stolen employee code. Wells Fargo declined to comment on what alerted MicroBilt. So how did Wells Fargo make this up to their customers? They offered them a one-year free subscription to their identity theft protection service. I feel this service should already be free and mandatory to all customers and not only to those who may have had their identity stolen.

In similar news, thieves made off with ATM PIN Codes and account numbers from Citibank ATMs. Does this mean that Citibank ATM PIN numbers were not encrypted like they were supposed to be? The bank has about 5,700 ATMs, owned and operated by Cardtronics Inc and Fiserv Inc, inside 7-Eleven stores across the United States. How were these hackers able to access the system? Citibank has refused to comment much like Wells Fargo.

Continue reading "Do the Big Banks Do Enough To Keep Identity Safe?"