Experian Data Breach Resolution and the Ponemon Institute have released survey findings from more than 500 IT professionals who have experienced a data breach at their company.

"The responsibility of keeping customers' information secure cannot lie solely on the shoulders of IT; rather every executive in the organization should be aware since the reverberation of a breach will be felt by everyone," said Ozzie Fonseca, senior director at Experian Data Breach Resolution. "Survey results show us that a data breach is often the result of human error or a crime– neither of which can be 100 percent prevented. As such, companies must put measures in place – training, preparedness plans, guidelines, etc. -- to help protect their customers' information."

IronKey has announced that their Trusted Access for Banking product is "immediately available to allow banks to protect their commercial banking customers from the risk of compromised RSA SecurID authentication tokens."

"Criminals used an Advanced Persistent Threat (APT) attack to breach the RSA SecurID infrastructure, and can now combine that information with data-stealing malware in order to compromise high value online banking sites," said Dave Jevans, IronKey's founder and chairman. "IronKey is already working with banks impacted by the RSA SecurID data breach in order to protect their customers."

TNS has published a new white paper by Frost & Sullivan titled "Card Data Security in an IP World".

"While a shift to IP based payment systems (from legacy systems) offers many advantages to businesses, it also presents a much more advantageous environment for cybercriminals to operate as the protocols are easily understood; they can easily remain anonymous on public IP networks, and maintain hundreds or thousands of simultaneous connections for malicious purposes such as Denial of Service, which can make payment networks unavailable for processing transactions."

The white paper is available for download here (registration required).

RSA has publised a new security brief titled "Secure Payment Services: Card Data Security Transformed" which is available for download from their website. According to the company, "the new RSA Security Brief introduces a model for outsourcing credit card data security called "secure payment services." Secure payment services transfer safeguarding card information to outside service providers, improving electronic card data security while simultaneously reducing the time, complexity and cost of achieving PCI compliance for merchants."

Elavon has announced that Semtek and Voltage Security have been selected to include end-to-end encryption capabilities in its acquiring and gateway solutions.

Elavon says its "implementation is unique in that it has chosen to deliver both hardware and software-based technologies and stands ready to support additional end-to-end encryption technologies as they mature—allowing merchants to choose the security solution that best fits their needs today and in the future." READ MORE »

The Secure POS Vendor Alliance (SPVA), a non-profit business organization founded by Hypercom, Ingenico and VeriFone has announced the release of its End-to-End Encryption Security Requirements related to payment card data in payment card reading devices. The paper is targeted to vendors of POS devices and is intended to help create "widespread understanding of payment security issues and the adoption of best practices." READ MORE »

Merchant Link has announced that it has partnered with AJB Software Design, a provider of electronic payment authorization and data delivery solutions, to integrate Merchant Link’s TransactionVault, a tokenization technology to remove customer credit card data at the point of sale. According to the two companies, "Merchant Link clients who use AJB’s payment solution will have an added layer of transaction security without disrupting their current payment infrastructure." READ MORE »

First Data Corporation has announced it has expanded the merchant pilot of the its TransArmor data security solution to more than 400 U.S. merchants. FDC's TransArmor solution was developed in partnership with EMC Corporation and "addresses the root cause of merchant data security issues by removing payment card data from the merchant environment as part of processing the transaction, significantly reducing risk and the scope of PCI compliance efforts." READ MORE »

The Federal Financial Institutions Examination Council (FFIEC) has released an updated Retail Payment Systems Booklet that replaces the version issued in March 2004. The booklet is one of 12 that, in total, comprise the FFIEC IT Examination Handbook. The OCC commented: "The updated booklet incorporates developments in various aspects of retail payments activities since the first edition was issued and provides guidance on the risks and risk-management practices applicable to national banks. The booklet’s enterprise-wide perspective makes it a valuable tool to an entire organization in addition to an information technology department."

Javelin has announced a new report titled "End-to-End Encryption, Tokenization, and EMV in the US: Vendor Analysis of Emerging Technologies and Best Hybrid Solutions" that "assesses the capabilities of end-to-end encryption, tokenization, virtual terminals, magnetic-stripe security and the EMV standard as solutions to combat payment-related data breaches." READ MORE »

The Payment Cards Center of the Federal Reserve Bank of Philadelphia has published a discussion paper titled "Heartland Payment Systems: Lessons Learned from a Data Breach" by Julia S. Cheney.

From the abstract: "This paper summarizes discussions from a workshop hosted by the Payment Cards Center on August 13, 2009. The workshop examined the changing nature of data security in consumer electronic payments. The center invited the chairman and CEO of Heartland Payment Systems (HPS), Robert Carr, to lead this discussion and to share his experiences stemming from the data breach at his company in late 2008 and, as important, to discuss lessons learned as a result of this event. The former director of the Payment Cards Center, Peter Burns, who is acting as a senior payments advisor to HPS, also joined the discussion to outline HPS's post-breach efforts aimed at improving information-sharing and data security within the consumer payments industry."

Ingenico has announced a "comprehensive strategy to provide secure end-to-end solutions to assist merchants in complying with the PCI Data Security Standards." Ingenico says its strategy addresses the entire payment transaction process including: data in flight, data at rest, and architecture. READ MORE »

Heartland Payment Systems and Visa have announced "a settlement agreement under which issuers of Visa-branded credit and debit cards will have an opportunity to obtain a recovery from Heartland with respect to losses they may have incurred from the 2008 criminal breach of Heartland's payment system environment. Heartland will pay up to $60 million to fund the settlement program, which is subject to certain conditions, including a specified level of participation by U.S. Visa issuers. Visa will present details of the settlement to eligible issuers in the coming days." READ MORE »

The Financial Services Information Sharing and Analysis Center (FS-ISAC), a forum for sharing information about attacks, threats, vulnerabilities, and risk mitigation practices in the financial services industry, has announced that it is planning "a nationwide cyber attack simulation exercise to test the ability of financial institutions, processors, businesses and retailers to respond and recover from major cyber attack incidents that could impact their payment processes." READ MORE »

Chase Paymentech has announced a joint initiative with VeriFone and Semtek to provide end-to-end encryption technologies for merchants to combat threats to security. The companies said they "will work together to market and distribute VeriFone’s VeriShield Protect solution to the Chase Paymentech base of retail merchants. The end-to-end encryption solution is designed to help merchants reduce the costs to comply with Payment Card Industry (PCI) requirements and associated security risk by protecting card information from the point of swipe to the Chase Paymentech authorization host." READ MORE »

Hypercom and Heartland Payment Systems have announced a strategic relationship to deliver integrated, high-security payment systems to retailers nationwide and implement Heartland’s end-to-end encryption E3™ solution. READ MORE »

Commidea, a card payment processing solution provider in the UK, has announce the launch of Ocius Sentinel - calling it "the UK's first solution to offer both true end-to-end dual encryption and tokenisation. Ocius Sentinel has been fully certified for use by the major UK acquiring banks." READ MORE »

CyberSource has announced the incorporation of automated account updating services into its Enterprise Payment Security 2.0 solutions. According to the company, "customer billing records tokenized in CyberSource's remote secure storage servers can now be automatically updated with new account information (such as bank card expiration data or replacement card number) via the CyberSource Account Updater Service." READ MORE »

Visa has announced new global industry best practices for data field encryption, also known as end-to-end encryption. According to Visa, "the best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the "clear."" The best practices document is available for download. READ MORE »

VeriFone Holdings has announced that it has signed an agreement to become the lead investor in a Series B financing of Semtek Corporation - saying it "has doubled its investment in the security technology developer and acquired an option at a future date to purchase the remaining shares in Semtek." READ MORE »

Voltage Security, has announced it has extended Voltage SecureData™ by adding tokenization and data masking capabilities to the existing encryption functionality - enabling the end-to-end protection of data, such as credit card numbers, in applications and databases. Voltage SecureData says these additions provide "the most comprehensive end-to-end data protection solution available, giving customers the widest choice of protection options to simplify implementation, reduce PCI audit scope and lower costs." READ MORE »

First Data and RSA have announced they are teaming up to provide a new service called First Data Secure Transaction Management - "engineered to enable merchants to secure payment card data and remove it from their environment while allowing access when needed." The new service "is designed to dramatically reduce the cost and complexity of complying with the Payment Card Industry Data Security Standard (PCI DSS)." READ MORE »

VeriFone has announced the formation of a Global Security Solutions Business Unit - saying it will be "focused on delivering innovative security solutions, including VeriShield Protect end-to-end encryption, to protect cardholder data throughout merchant and processor systems." Jeff Wakefield, formerly vice president of marketing for VeriFone’s Integrated Systems business, was named general manager and vice president of the new business unit. READ MORE »

Glenbrook is looking for more information about providers who are providing tokenization and/or encryption products/services to merchants to help them reduce the scope of their PCI-DSS compliance obligations?

Last week, several companies responded to our Twitter tweets and LinkedIn status asking for more information - if you've already responded via email, there's no need to do so again!

But, If your company does provide tokenization/encryption services and hasn't already responded, then please do respond to this survey and tell us more about your offering. You can click "Read More" to answer our mini-survey or click here to open a fresh copy. READ MORE »

In an article titled "Defying Experts, Rogue Computer Code Still Lurks", John Markoff writes for the New York Times about the Conficker virus - first detected last November which now has some five million computers around the world under its control. "Wherever the authors are, the experts say, they are clearly professionals using the most advanced technology available."

Radisson Hotels & Resorts has issued an open letter to its customers informing them that the computer systems of some Radisson hotels in the U.S. and Canada were accessed without authorization. According to the company, "this unauthorized access was a violation of both civil and criminal laws. Radisson has been coordinating with law enforcement to assist in their investigation of this incident. While the number of potentially affected hotels involved in this incident is limited, the data accessed may have included guest information such as the name printed on a guest’s credit card or debit card, a credit or debit card number, and/or a card expiration date." READ MORE »

Based on an interview with Heartland Payment Systems CEO Robert Carr, Rachael King writes for BusinessWeek about lessons learned during the Heartland data breach that began in 2008 and was discovered and announced in January 2009.

Heartland Payment Systems has announced that yesterday it successfully completed the first phase of its end-to-end encryption pilot project. According to the company, "this first step involved the transmission of live AES (Advanced Encryption Standard)-encrypted card transactions from a merchant to Heartland’s processing platform. AES is the highest level of encryption and is currently on track to replace DES (Data Encryption Standard) and Triple DES as the desired standard for sensitive data."

Earlier this month Heartland announced it was working with Voltage Security to develop its end-to-end encryption approach. READ MORE »

Mercator Advisory Group has published a new report, End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance that "explores end-to-end encryption (E2EE) in the hands of merchants, payment service providers and processors. In the face of the three bogies of PCI DSS compliance and penalties, reputational risk and direct financial loss, the acquiring half of the payments process is evaluating options for eliminating cleartext cardholder data from their systems. Tokenization (the subject of a recent Mercator report) and end-to-end encryption are the leading candidates. This report examines the complexity of E2EE within payments and enterprise security." READ MORE »

Merchant Link has announced that it will offer later this year its TranactionVault hosted credit card security product and service to users of the latest version of the MICROS OPERA Property Management System (PMS). READ MORE »