Special Offers

Merchant Account News

Thursday, August 20, 2009

A Discussion You Might Want to Follow

What can PCI DSS do, and what can it not? What role may it have played or should it have played in the recent breaches?

There is a discussion going on at StorefrontBacktalk that you may want to read…and be sure to read the comments. It deals with the recent breaches and the questions above. Another great take on the indictments and security is at Mike Dahn’s blog (which also has a number of links).

Posted by Walt Conway at 9:00 AM 0 comments

Monday, August 17, 2009

Serial Credit Card Thief Indicted

The Justice Department claimed today’s indictment of three individuals represent the biggest case of credit card theft ever prosecuted. The one American and two unnamed Russians are charged with stealing over 130 million credit card numbers from all the organizations you’ve been reading about: Hannaford, 7-Eleven, Heartland Payment Systems, and a couple of others.

In some cases they sold the numbers; other times they used them to buy goods. To me, the big story was the reputed mastermind behind these and other thefts. This guy is already under other indictments for the TJX breach, among others.

Here’s the reason I’m bringing this to your attention: these guys targeted their attacks. They actually identified who would be likely to have lots of payment cards, then they systematically went after them.

If this doesn’t make you worry, it should.

If this doesn’t make you re-think storing PANs electronically, it should.

And…
If this doesn’t make you maybe a little more scared of the bad guys and a little less scared of your QSA, it definitely should.

Posted by Walt Conway at 4:49 PM 0 comments

Wednesday, August 12, 2009

UPDATED: Heartland CEO blames QSAs

I’m not sure I agree with everything that is said, but I recommend you read the article in ComputerWorld (also in CSO) where Heartland Payment Systems CEO Robert Carr talks about their massive data breach.

One good point he does make (which means I agree with him…) is when he says “If a smart person’s job is to define a set of rules to keep merchants from being breached and they have to start somewhere, what they come up with is going to look something like PCI. There has to be a lowest-common-denominator set of rules. PCI could be improved, but the standard is fine.”

Read the article, and blame who you want to blame or nobody. But keep in mind a few things. This was a processor. They have to retain cardholder data. You are a merchant. You rarely if ever need to retain the data. So go back and ask yourself if keeping cardholder data is really worth the risk and lost sleep.

UPDATE: For a response to Mr. Carr’s comments, you have to see this post by Rich Mogull at Securosis. I could not say it better.

Posted by Walt Conway at 4:53 PM 1 comments

MasterCard New PCI Requirements Clarified

MasterCard has posted a 4-page FAQ on its website describing the recent changes to its Site Data Protection (SDP) program. I’ve blogged about this previously, but now we have some details (with thanks to Branden Williams again).

Here is my take on what it means to you. I’ll focus on Level 2 merchants since that is where the changes are.

  • If you are a Level 2 merchant, you now need to hire a QSA to conduct and complete an onsite data security assessment by December 31, 2010, and repeat it annually. Forget the idea of using you internal auditors – that option no longer exists. It appears MasterCard has figured out (“I’m shocked, SHOCKED…”) that maybe some merchants were a little too liberal with checking the “in place” column in their SAQs.
  • Interestingly, if a L2 merchant outsources their processing to a validated processor, and the merchant would have previously qualified to validate their own compliance with SAQ A, then according to the FAQ they can continue to do so. The rationale is that since the processor has an onsite data security assessment, that covers the requirement. That one sounds like it might be a little inconsistent to me, but I’ll leave it to the folks at MasterCard and the acquirers to work it out.
  • There is an interesting point in the FAQ about “newly acquired merchants.” MasterCard seems to be taking a page from Visa’s playbook and requiring that acquirers only “board merchants that are PCI compliant.” So much for shopping around and changing acquirers to avoid compliance…

There’s more in the FAQ, but the message is clear. If you are a Level 2 merchant, it’s time to start looking for a QSA, which you can do by following this link to the PCI Council’s website.

BTW, the FAQ says all this information went out to MasterCard acquirers on June 15. Hmmm…let’s see…it’s now August and people are just finding out about this. But of course, all of you heard about this in June from your acquirer, right…?

Posted by Walt Conway at 8:28 AM 0 comments

Monday, August 10, 2009

PCI DSS v1.2.1

Most of you know that NACUBO in partnership with the Treasury Institute is a participating organization in the PCI Council. One of the benefits to you is that we (meaning “you”) get the latest news from the Council directly. One such example is the email I got today from the Council on version 1.2.1 of the PCI DSS.

I mention this only so that if you go to the Council’s website and download some of the publications, you will see this new version number. Don’t get too excited or concerned: there are no changes to the standard as detailed in the FAQ I received:

The move from version 1.2 to version 1.2.1 of the PCI Security Standards Council’s Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) signifies minor corrections designed to create more clarity and consistency among the standards and supporting documents. The changes are minor, for example; correcting spelling, eliminating redundant lines and updating language to synch with supporting documents. [emphasis added]

There are no additions to the requirements or to the intention of the standards. This change, and the creation of DSS, PA-DSS, and the PA-DSS Program Guide 1.2.1 is administrative in nature.
Each document has been updated with a table of changes on the front page illustrating precisely where the administrative updates have been made within the document.

Additional information in the Council’s FAQ includes:

Should I revisit my compliance plans or implementation timelines?
As there are no changes to the intention or requirements of the DSS, your compliance programs will be unaffected by the change from DSS 1.2 to DSS 1.2.1

Do I need to do anything differently?
You should continue to work with your assessor on your current compliance program. There are no changes from v1.2 to DSS 1.2.1.

Does this change your plans to roll out the next version of the PCI DSS?
This will not affect the planned, public lifecycle of the DSS. We are currently in the feedback period of the lifecycle and encourage organizations to share feedback with us through the online feedback form, FAQ tool and direct email contact. The first feedback period runs until November 1st and incorporates both the US and European Community Meetings.

So…if you download any documents from the Council, don’t be put off by the new version number.

Posted by Walt Conway at 7:45 PM 0 comments

Friday, August 7, 2009

Welcome Back, Mike!

Mike Dahn has a new blog, and I suggest you might want to follow it. Mike brings an unique blend of experience (former QSA trainer) and expertise to his PCI DSS rants…er, I mean posts. Today’s post is no exception…and I agree with every word of it.

Welcome back to the blogosphere, Mike.

Posted by Walt Conway at 7:13 AM 0 comments

Thursday, August 6, 2009

MasterCard Goes Public with Noncompliance Fines

Here is something I’ve been following for the past week or so, and I want to make sure you know about. According to Branden Williams’ blog, MasterCard has instituted a schedule of fines for Level 1-3 merchants who are not compliant. The fines are quarterly, they escalate, and they continue until you validate compliance:

– Levels 1 & 2: $25K first quarter; $50K second quarter; $100K third quarter; $200K fourth quarter.

– Level 3: $10K first quarter; $20K second quarter; $40K third quarter; $80K fourth quarter.

Add it up. If you are a L3 merchant and it takes you a year to get compliant, you might need to add about $80K to your budget for the fines.

There is more here and here.

Most of you may remember Visa’a Compliance Acceleration Program which was a set of financial incentives and penalties to get L1-3 merchants compliant. Now MasterCard has joined the act in a big way.

I can’t find anything at MasterCard’s SDP site. I understand that the details went out in a letter to acquirers. So I recommend that you follow-up with your acquirer and see if this new policy affects your school.

Meanwhile I’ll be monitoring developments and pass along what I learn.