Steps to Take to Reduce the Anxiety of Paying Online
Last year, 92 million people bought things online using credit cards, debit cards and services like PayPal and Google Checkout. Millions of others paid bills and wired money electronically from bank accounts with just a few clicks.Despite the apparent popularity of all these services, they still cause nagging anxiety for many of us.We wonder, how secure are these payment systems? Will I be out the money if someone steals my account numbers and goes on a wild shopping spree or bleeds my savings dry?Deciding which online payment method to use would seem to be a simple matter of picking whichever offers higher security. But the wise consumer also weighs the legal protections in the case of theft: the best security and the lowest liability don’t necessarily go together.Here’s the lowdown on the risks associated with the most popular ways to pay online:
via Steps to Take to Reduce the Anxiety of Paying Online – NYTimes.com.
PCI and the Art of the Compensating Control – CSO Online – Security and Risk
This guide to compensating controls is excerpted from chapter 12 of PCI Compliance by Dr. Anton Chuvakin and Branden Williams (Syngress, 2009). For a full sample chapter, see http://www.pcicompliancebook.info/
Information in this chapter:
* What is a Compensating Control?
* Where are Compensating Controls in PCI DSS?
* What a Compensating Control Is Not
* Funny Controls You Didn’t Design
* How to Create a Good Compensating Control
Few payment security professionals can find a hotter PCI DSS topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort.
Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid.
Also on CSOonline: PCI DSS No Angel, But Certainly Not the Devil
The goal of this chapter is to paint a compensating control mural. After reading this chapter, you should know how to create a compensating control, what situations may or may not be appropriate for compensating controls, and what land mines you must avoid as you lean on these controls to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS).
via PCI and the Art of the Compensating Control – CSO Online – Security and Risk.
RSA 2010 EXCLUSIVE PCI Security Standards Council Interview
RSA 2010 EXCLUSIVE PCI Security Standards Council Interview
At RSA 2010, I was given a unique opportunity to interview Bob Russo GM at PCI SSC and Troy Leach CTO at PCI SSC. I have prepared a deck of very tough questions and then had an hour-long discussion with Bob and Troy around those questions. What follows is the interview reconstruction from my notes with minimum edits and clarifications by the Council folks.
A ‘Breach’ in Customer Loyalty
Compliance with the Payment Card Industry Data Security Standards PCI DSS continues to be a hot topic in hospitality circles, and for technology writers. In fact, large volumes have been written on the topic, with countless articles offering best practices and reporting on non-compliance penalties, such as increasing fees and commissions. It’s been reported, also, that the hospitality industry continues to struggle with compliance. The American Hotel and Lodging Association’s PCI Primer1 reports that upwards of 55% of credit card fraud comes from the hospitality industry, and the smallest merchants Level 4 account for more than 85% of compromises, with a noticeable increase in risks coming from franchisees.There is one area, however, that remains difficult to measure: consumer confidence. What is the tangible impact to customer confidence and company reputations when a security breach occurs? The University of Delaware is conducting a study, with the assistance of graduate student Ekaterina Berezina, on the impact of poor security on consumer confidence. Specifically, the study seeks to understand the impact of a credit card breaches on service quality, guest satisfaction, future revisit intention and the likelihood of recommending the brand/hotel to others word-of-mouth intention.
Why 41 Percent of You Would Fail a PCI Audit – CSO Online – Security and Risk
Security vendors are launching a gazillion products this week at RSA Conference 2010, but hidden in all of those press releases are a few nuggets that illustrate the big picture trends. Here are a few of the more interesting items found in the press room this morning:
QSAs: 41 Percent of Companies Would Fail PCI audit
New research from The Ponemon Institute suggests nearly half of the companies out there would bomb a PCI security audit.
The report says that while only two percent of businesses outright fail compliance audits, 41 percent would fail if unable to rely on temporary compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. These alternative routes to compliance must meet QSA approval, but they may be just temporary fixes or be eliminated by future changes to PCI DSS. Their prevalence appears to indicate businesses are still coming up to the speed with the security standard introduced in 2006.
via RSA 2010: Why 41 Percent of You Would Fail a PCI Audit – CSO Online – Security and Risk.
Average Annual Cost of PCI Compliance Audit? $225k – CSO Online – Security and Risk
Merchants that undergo network audits to ensure compliance with the Payment Card Industry Data Security Standards are paying an average of $225,000 each year — and 10% of these business are paying $500,000 or more annually, according to a new study. In spite of that, 2% of them fail these audits.Credit card data security: Who’s responsible?The study, conducted by The Ponemon Institute under sponsorship of Thales, surveyed 155 qualified security assessors QSA worldwide who are authorized by the PCI Security Standards Council to conduct these annual technical reviews of the largest merchants’ networks. The QSAs were asked to share information about how much their customers are spending on annual PCI audits, which are required by banks and card associations, such as Visa or MasterCard, to be allowed to process payment cards.With $225,000 to $500,000 spent annually on a PCI audit, “that’s a large chunk of change to be doing each and every year,” says Dr. Larry Ponemon, the Institute’s founder. That cost doesn’t include the technology changes and the operating and staff costs associated with the audit, according to the survey. Ponemon notes that sometimes the annual PCI audit “leads to a better security posture, but not always.”
via Average Annual Cost of PCI Compliance Audit? $225k – CSO Online – Security and Risk.