Subscribe to eSecurity Diva
 Subscribe via RSS Feed


 

« July 2008 | Main | September 2008 »

August 2008

August 20, 2008

PCI Compliance Made Easy

Our Vice President of Marketing, Heather Varian Foster, was recently interviewed by Shawna Fennell on the Yahoo! Store Power Hour about Payment Card Industry (PCI) compliance as it related to small- to medium-sized e-commerce merchants - and in particular, Yahoo! Store customers. We realize that there is a vast need for better education about PCI in the marketplace. It is a relatively new standard and there is a lack of good information available to an audience in need. Below are a sampling of the questions and answers discussed in the interview that will hopefully be helpful to you as you navigate through the PCI compliance process for your business.

What do PCI compliance requirements mean to small and medium-sized (Level 4) merchants?

If you are a merchant and you accept credit cards you must validate compliance at least annually. There is no way around this - all merchants need to do this. So let's talk about how you do that.

First you need to complete the Self-Assessment Questionnaire (SAQ) on an annual basis. A few months ago a new SAQ was launched and was re-designed to make the questions more relevant to what the merchant actually does. There are now 4 parts, and depending on which part best matches what your company does, will determine the number of questions you will need to answer - and whether or not you will need quarterly vulnerability scanning. You will also need to make sure you attest to the truthfulness and accuracy of your responses on the SAQ.

What challenges do small and medium-sized merchants face when they are trying to become PCI compliant?

Most small and medium-size companies don't have large IT departments, or an IT department at all to handle the compliance process. So, often the business owner is forced to take on a role they are not comfortable with. Also, many smaller merchants can't get the help they need from their Web hosts to complete the SAQ or remediate vulnerabilities. Merchants should be very selective as they search for the right support services for their businesses, their PCI compliance provider, acquirers, hosts and others, to make sure they are going to get the help they need.

Since there are millions of small and medium-sized merchants - how do they find out about PCI compliance and the impact on their businesses?

First of all acquirers must take on the responsibility of educating their merchants regarding card holder data security, storage of prohibited card holder data and PCI DSS compliance (according to VISA USA's VISA Business Review  -May 2007). Having said that, there has only been a recent sense of urgency from the acquirers to do so. You should certainly look to them, payment processors, Web hosts and shopping carts or other merchant service providers you use to seek this information. You can also visit www.pcisecuritystandards.org or you can also visit our Website, www.controlscan.com for more information about PCI compliance.

Some of the other questions answered in the interview include:

  • How do small and medium-sized merchants know which SAQ to fill out or if they need to be scanned?
  • Who needs to see proof of PCI compliance?
  • If you are PCI compliant are you secure?
  • What does PCI compliance mean to Yahoo! Store customers?
  • Are merchants fined?
  • What happens if you are breached?
  • Does PCI compliance help increase conversions on merchants' Websites?
  • What is the October 1, 2008 PCI compliance deadline?
  • Will this deadline hold?
  • How do I learn more about PCI compliance?

To hear the answers to the rest of the above questions, you can listen to the interview by visiting http://www.wsradio.com/wsradio-player.cfm/type/windows/show/1-Choice-Yahoo!-Store-Power-Hour/segment/19536.

'Til next time,
Joan
The eSecurity Diva

Posted at 07:18 AM | | Comments (0) | TrackBack (0)

August 05, 2008

A Little Challenge to the Private Sector

I recently sent some employees to an (ISC)² seminar to get an industry-recommended security certificate. The seminar is aimed at providing education on the newest and hottest cyber threats.

With all the news of mega breaches out there, including one I just wrote about in this blog, it would seem as if an information-packed seminar such as this one would be packed with IT people, right? Actually, it was. But with public sector IT people. Private sector attendees were few and far between.

What’s going on here? This little piece of news could be a telltale:

According to a new report by the Identity Theft Resource Center, the percentage of breaches occurring in the government sector has been dropping steadily over the past three years. The percentage of breaches occurring in the private sector, meanwhile, has skyrocketed 69 percent from the same six-month period last year. Mix that news with the fact that the private sector is substantially less prone to reporting breaches than the public sector and the situation gets even worse.

As the report indicates, the government sector – for a change – is outperforming the private sector. The report says during the first half of this year, breaches in the government accounted for only 17 percent of all reported breaches, a 13 percentage point decrease from 2006.

Leading the seminar was Bill Lipiczky, a senior architect with IT consultancy Managed By Design. He acknowledges the lopsided attendance record, estimating that the private sector accounted for only 20 percent of the class. He says companies often do not have as full a grasp on cyber threats as it should.

“They don’t have a good handle on the risk,” Lipiczky says. “I kind of liken it to life insurance.”

Life insurance. Kind of like not really thinking about bad things until something bad happens.

To be fair, Lipiczky points out that the government’s emphasis may be because it has more pressing things to worry about than simply identity theft. Like national security, for one. Stuff like foreign governments trying to hack into our critical systems. But something clearly has to be done here. The number of breaches cannot continue spiraling out of control without the Congress getting involved more than it already is. Do we really want that?

So, I have a challenge. Let’s start attending more professional development courses like the one offered by Lipiczky. Let’s start being more proactive about preventing breaches. And let’s show that we can do the right thing without being legislated to do so.

‘Til Next Time,

Joan,
The eSecurityDiva

Posted at 07:00 AM in Breaches | | Comments (0) | TrackBack (0)