Welcome to the News View for "PCI Compliance".
Here, on one page, you'll find all of the articles on Payments News for PCI Compliance listed in date sequence beginning with the most recent article at the top of the page.
Click here for a complete listing of what's available in the Payments News Archive - organized by both posting date and subject category.
The PCI Security Standards Council (PCI SSC) has announced the availability of a summary of forthcoming changes to PCI DSS as it moves from version 1.1 to the previously announced version 1.2 in October. » Continue Reading
CyberSource and Trustwave have announced a partnership to provide payment security solutions to Trustwave and CyberSource merchants in the United States and Europe. The solutions "will help merchants streamline compliance validation with the Payment Card Industry Data Security Standard (PCI DSS), providing a complete set of payment security services for merchants." » Continue Reading
MasterCard Worldwide has announced the availability of three new seminars designed to help merchants protect payment card data and reduce the likelihood of reputational risk and the incidence of fraud. The new seminars are titled "Data Encryption: Understanding Encryption and PCI DSS," "Network Segmentation," and "Maximize Internal Preparations for PCI DSS." » Continue Reading
Verizon Business has announced a comprehensive report on data breaches 
concluding that "nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place." The study also provides key recommendations to help businesses protect themselves and urges them to be proactive.
» Continue Reading
NetIQ has announced results of a survey of over 300 companies in North America concluding that, "despite multiple extensions of the Payment Card Industry Data Security Standard (PCI DSS) compliance deadline, companies are still struggling to adequately protect the data of their customers. The threat of significant fines (up to $500,000) and loss of customers and company reputation in the event of a security breach have not radically spurred PCI compliance." » Continue Reading
The Electronic Transactions Association held its Annual Meeting & Expo in April. Many of the presentations from that meeting are available for downloading from the ETA's web site. Some of the topics include "When Interchange Really Isn't Interchange: The Relevance of Interchange Optimization for Merchants" and "PCI Security & You" .
Michael Dahn posted on the PCI Blog - Compliance Demystified about the recent discussions about the industry cost of PCI compliance. Both he and Walt Conway make important points about the key question being "Why is the cost of compliance so high?" and suggest that mastering PCI compliance is as much about defining scope down through business process changes as anything else. Walt writes: "Who said you have to keep doing things the same way as before? PCI is a great opportunity to actually reduce the institution's risk not by protecting CHD and all personally identifiable information (PII), but by getting rid of it."
A few days back we wrote about some expert views on the industry cost of PCI compliance. We've had several interesting discussions in email from folks reacting to the $2 billion number that my expert friends at dinner came up with. One of those, long-time friend and former colleague, Walt Conway, sent along his own "very rough cut estimate" of the PCI compliance costs. Walt's been consulting with colleges and universities on PCI for the last couple of years - and I asked him if we could share his thinking here. » Continue Reading
A few weeks ago, as part of an article about Hannaford's recent card data breach, I blogged about my 'guestimate' of the cost of PCI compliance across the industry. I said: "Seems like somewhere between US$100 million and US$1 billion?" and asked for reactions. No one reacted - so maybe everyone agreed with my estimate?
Tonight at dinner with some sophisticated, experienced players actively involved in the business of PCI compliance, I posed the same question. After chewing on it a while (it takes a few minutes to comprehend the magnitude of the question!), they settled in on the figure of US$2 billion - to me a pretty staggering sum! Does spending of that magnitude significantly change the economics of card acceptance for merchants?
The PCI Security Standards Council has announced the timeline for the release of PCI DSS version 1.2, scheduled for availability in October 2008. According to the Council, the new version of PCI DSS will 'enhance the clarity of its technical requirements, offer improved flexibility and address new and evolving risks and threats.' » Continue Reading
Two important new books about security - and payments security in particular - arrived on my desk this week.
The first book - the second edition of Ross Anderson's Security Engineering
The second book - Zero Day Threat
Both of these books have just been added to the first page of the Payments News Bookstore on Amazon.com.
Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney for the Eastern District of New York Benton J. Campbell have announced that 'three defendants have been charged in a federal grand jury indictment and complaint with illegally accessing the computer systems of a national restaurant chain and stealing credit and debit card numbers from that system.' » Continue Reading
The PCI Security Standards Council has announced a complimentary educational webinar, “Understanding the Payment Application Data Security Standard” on Thursday May 22, 2008 at 11:30 a.m. EDT with a second session scheduled the same day at 7:30 p.m. EDT. » Continue Reading
PaySimple has announced the availability of PaySimple 2.0 that the company says 'helps small businesses bridge the technology gap, and to grow with the efficiency and cost-savings that large companies have, but with the customization and personal touch that small companies need.' With PaySimple Solution 2.0's Payment Processing Center, users have the ability to electronically collect payments via eCheck/ACH or credit card as well as pay their vendors via those channels from one system. » Continue Reading
In an article titled 'The Tangled Web of PCI Compliance', Richard Adhikari writes for InternetNews.com - 'The best protection is to have an end-to-end solution combining source code reviews, vulnerability scans and Web application firewalls.'
David Navetta, a lawyer with InfoSecCompliance, writes for SC Magazine about the legal implications of the PCI Data Security Standard (PCI-DSS), saying it 'now presents serious legal challenges and risk for retailers.'
In an article titled 'Paying breach bill may not buy Hannaford full data protection', Jaikumar Vijayan writes for Computerworld about Hannaford's discussion last week that it is spending millions of dollars on new IT security tools. The grocer last week said it has plans to encrypt all payment card data on its internal network.
A friend of ours over the weekend wondered what the total cost to the industry of PCI compliance will be. Seems like somewhere between $100 million and $1 billion? What do you think? Comments?
The PCI Security Standards Council has announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3 , regarding penetration testing, and Requirement 6.6 , regarding application code review and application firewalls. Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts.
» Continue Reading
Merchant Link has announced that it has seen a significant increase in the adoption of its credit card payments security product, TransactionVault, by quick service, casual and table service restaurant organizations nationwide, including Perkin's, Zaxby's, Famous Dave's, La Madeline, and Ruth's Chris Steak House. » Continue Reading
The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), has announced the release of version 1.1 of the Payment Application Data Security Standard (PA-DSS). » Continue Reading
Merchant Link has announced results of a survey on credit card security and PCI compliance among attendees of the recently completed 2008 Multi-Unit Restaurant Technology Conference (MURTEC 2008) finding that "corporate reputation and customer concerns regarding the security of their data are the primary worries in the hospitality industry in terms of credit card use among restaurants of all sizes and styles." » Continue Reading
MasterCard Worldwide has announced an agreement with The TJX Companies Inc. (TJX) to offer an 'Alternative Recovery Program to MasterCard issuers affected by the previously announced data breach of TJX. The agreement calls for TJX to provide up to $24 million to support an Alternative Recovery Program to settle claims made by issuers to recover costs and losses they claimed to have incurred in connection with the breach. Issuers must have previously filed claims and agree to the Alternative Recovery Program's terms to be eligible for compensation funded by the agreement.' » Continue Reading
In an article titled 'Data Theft Carried Out On Network Thought Secure', Joseph Pereira writes for the Wall St. Journal about the recently reported payment card data breach at the Hannaford Bros. and Sweetbay grocery chains.
In an article titled 'Advanced tactic targeted grocer', Ross Kerber writes for the Boston Globe about how the data breach disclosed earlier this month by Hannaford Bros. Co. actually occurred. In a letter to Massachusetts officials, the company reported that malware had been installed on servers in each of its 300 stores. "The malware intercepted the "track 2" data stored on the magnetic stripe of payment cards as customers used them at the checkout counter." Hannaford had been certified as PCI compliant in late February. In 2005, Hannaford was featured for its migration to a Linux-based in-store POS environment.
The Federal Trade Commission has announced that TJX has agreed to settle charges that it engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that TJX implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. Full details available here. » Continue Reading
Hannaford Bros. Co., a Scarborough, Maine, supermarket chain with 165 stores has announced "containment of a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed or obtained." The AP reports that "about 4.2 million unique card numbers were exposed." » Continue Reading
MasterCard has announced the immediate availability of a complimentary educational webinar developed to help merchants better understand the newly available PCI Data Security Standard Self-Assessment Questionnaire (PCI DSS SAQ) version 1.1 that has been updated and released by the PCI Security Standards Council. » Continue Reading
The PCI Security Standards Council has announced that its updated Self Assessment Questionnaire (SAQ) for merchants and service providers is now available. » Continue Reading
Visa Inc. has announced that "as of the end of 2007, more than three-fourths of the largest U.S. merchants (those processing six million or more Visa transactions annually) and nearly two-thirds of medium-sized merchants (those processing between one million and six million Visa transactions annually) have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa's U.S. transaction volume." » Continue Reading
The Associated Press reports that "Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people."
The TJX Companies has announced that "it has entered into a Settlement Agreement with Visa U.S.A. Inc. and Visa Inc. Under the agreement, an alternative recovery offer will be made to eligible U.S. Visa issuers that issued payment cards potentially affected by TJX’s previously announced unauthorized computer intrusion(s), and Visa will recommend the offer." » Continue Reading
Mark Jewell reports for the AP that "half of more than 3,000 retail stores that a wireless security company secretly monitored at major shopping areas in the U.S. and Europe use wireless data systems vulnerable to hacking."
The PCI Security Standards Council has announced that it is adding a new standard for payment application software - called Payment Application Data Security Standard (PA-DSS) - that is based on Visa's Payment Application Best Practices (PABP). » Continue Reading
Dennis Reedy, CTP, managing director, Treasury Operations, Indiana University and Walt Conway, Walter Conway Associates, have written an article titled "5 Strategies to Achieve PCI Compliance" . "There are two things financial managers at every level in the organization need to understand about PCI DSS. The first is that the standard is mandatory—if you accept payment cards, you are subject to the standards. The second is that there can be significant costs if you are not compliant and your systems are breached, compromising sensitive cardholder data."
IBM has announced "a new program that provides products and services to help customers achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). Unlike competitive offerings, the comprehensive program is designed to take companies through the entire PCI compliance process, from assessment to compliance to certification, helping them meet all 12 PCI requirements for safeguarding customer payment card data." » Continue Reading
Akamai Technologies has introduced what the company is calling "the industry’s first and only PCI-compliant site acceleration service. PCI-compliant site and transaction acceleration will provide companies conducting ecommerce online with the assurance that sensitive credit card information is transmitted over a platform that is PCI-compliant." » Continue Reading
Jaikumar Vijayan writes for Computerworld about last week's announcement by Visa of new payment application security mandates. "Basically, they require any company that accepts payment card transactions to ensure that all third-party payment applications they use to store, process or transmit cardholder data comply with a set of minimum security requirements from Visa."
Ross Kerber writes for the Boston Globe about more filings in the TJX litigation now underway in Boston - including a review by Joel Lisker, a former MasterCard security executive.
Visa has announced that 65 percent of the largest U.S. merchants (those processing six million or more Visa transactions annually) have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS), up from 36 percent in December 2006. Among medium-sized merchants (those processing one to six million Visa transactions annually), compliance grew from 15 percent in December 2006 to 43 percent as of September 30, 2007. The merchants that comprise these two categories account for approximately two-thirds of Visa's U.S. transaction volume. » Continue Reading
Ross Kerber reports for the Boston Globe that recent court filings by a group of banks suing TJX over its breach of payment card data say that about 65 million Visa account numbers and about 29 million MasterCard account numbers were compromised. Fraud losses were estimated to range between $68 million and $83 million.
Bryan Johnson blogs on the Braintree Payment Solutions blogs about PCI compliance and the potential cost of a data security breach involving payment card information.
MasterCard Worldwide has announced a new PCI Merchant Education Program - calling it "an initiative offered to acquiring bank customers that provides practical assistance in educating merchants and encouraging broader adoption of the Payment Card Industry Data Security Standard (PCI DSS)." » Continue Reading
California Governor Arnold Schwarzenegger on Saturday vetoed Assembly BIll 779 - a bill by Sacramento Democrat Dave Jones that attempted to write into California state law a series of data security and protection methods regarding payment card and personal information. See our earlier coverage here on Payments News. » Continue Reading
In an article titled 'Making Sure Your Stores Guard the Data', Robin Sidel writes for the Wall St. Journal about the Payment Card Industry - Data Security Standard and how consumers might be able to assess a merchant's participation in securing their payment card data.
Evan Schuman writes on his Storefront Backtalk blog about efforts by the National Retail Federation's CIO David Hogan to rethink the assumptions behind the Payment Card Industry - Data Security Standard. According to Hogan, "the bottom line is that it makes more sense for credit card companies to protect their data from thieves by keeping it in a relatively few secure locations than to expect millions of merchants scattered across the nation to lock up their data for them." More details about the NRF's recommendations are on the NRF web site including a letter from Hogan to the PCI Standards Council.
The full text of TJX data breach analysis report produced the Canadian Office of the Privacy Commissioner and the Office of the Information and Privacy Commissioner of Alberta is available online.
In an article titled 'Guide to passing PCI's five toughest requirements" on SearchSecurity, Craig Norris writes about some survey results from VeriSign that identify the toughest requirements of the PCI-DSS standard for organizations to comply with. » Continue Reading
Robin Sidel writes for the Wall St. Journal about payment card data security - pointing out that "smaller shops have proven ill-prepared for the complexities of safeguarding credit-card information." Some small merchants say they're not aware of potential vulnerabilities - or the need to protect data. Sidel notes that Minnesota passed the Plastic Card Security Act earlier this year which took effect in August. California's AB779 has been passed by both houses of the state legislature and is awaiting signature by the governor.
TJX announced late yesterday that it "has entered into a Settlement Agreement with respect to the customer class actions in the United States, Canada and Puerto Rico relating to customer claims arising from the criminal intrusion(s) into TJX's computer system."
Update: Evan Schuman looks at the details of the TJX settlement.
The San Francisco Chronicle writes an editorial in favor of Assembly Bill 779 authored by Assemblyman Dave Jones. The bill has passed both houses of the California legislature and is awaiting signing by Governor Arnold Schwarzenegger. Retailers are urging the governor not to sign the bill.
Among other requirements in the bill that mostly mirror those of PCI-DSS including a requirement that retailers in the state encrypt the transmission of payment-related data. Beginning July 1, 2008 in California, one cannot "send payment-related data over open, public networks unless the data is encrypted using strong cryptography and security protocols or otherwise rendered indecipherable." Payment-related data is defined as "account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."
Taking on an expanded role, the PCI Security Standards Council has announced that it has also assumed responsibility for the PIN Entry Device (PED) Security Requirements that were previously administered under the auspices of JCB, MasterCard International and Visa International. » Continue Reading
The September 2007 issue of the Harvard Business Review contains an article titled "Boss, I Think Someone Stole Our Customer Data" (purchase required) consisting of a case study along with accompanying commentary from four executives.
This case presents the fictional story of an electronics retailer who has been notified that it is "showing up as a common point of purchase for a large number of fraudulent credit card transactions." The case fills out some of the facts - and ends at the point a recommendation to the CEO as how to proceed is required. The executives' commentaries discuss what their recommendations are.
If you're involved in merchant card acceptance and PCI-DSS compliance efforts, we highly recommend you read this case - before your CEO does.
Evan Schuman blogs on StorefrontBacktalk.com about PCI-DSS compliance, saying "PCI deployment isn’t perfect, but it’s quite impressive how far it’s come given the mammoth obstacles."
Ross Kerber reports for the Boston Globe that a suspect in the TJX payment card data breach has been arrested - although it's not clear whether he's the mastermind behind the attack.
Mark Jewell, AP Business Writer, reports on TJX Cos. earnings report - including a "$118 million charge due to costs from a massive breach of customer data, mostly to build up a reserve to cover estimated future expenses." The full press release is here - with the company stating "This charge includes $11 million (after tax), or $.02 per share, for costs incurred during the quarter, as well as a reserve of $107 million (after tax), or $.23 per share, for the Company's exposure to potential losses." On January 17, 2007, TJX announced it had "suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions."
Matt Hines writes for Infoworld about reactions from some enterprise IT leaders regarding Version 1.1 of the Payment Card Industry (PCI) Data Security Standard (DSS). "Bob Russo, general manager of the PCI Security Standards Council, said that the feedback the organization has received regarding the standard, including the newest additions, has been largely positive."
Ross Kerber writes for the Boston Globe about recent activity related to the TJX data breach case - including some guilty pleas in Florida by card counterfeiters using some of the stolen card information. But the actual perpetrators of the data breach itself have yet to be identified.
Visa USA has announced a program "designed to help the nation's small businesses improve their security. Visa's program calls for acquiring financial institutions to strengthen their existing data security efforts to identify and address risks among their small merchant customers, including identifying whether merchants are storing sensitive account data and are complying with the industry-wide Payment Card Industry Data Security Standard (PCI DSS)." » Continue Reading
Brian Fonseca reports for Computerworld on a discussion about the Payment Card Industry (PCI) Data Security Standard at the Symantec Vision user conference in Las Vegas last week. Fonseca writes that "as some retail executives openly criticize the PCI standard, for levying unfair costs and IT burdens upon their organizations, the financial services executives fired back by noting that high-profile data breaches at retailers like The TJX Companies Inc. are not originating from their side of the fence."
Marc Songini reports for Computerworld about retailer comments about PCI-DSS at this week's annual ERIexchange retail event in Boston where they complained about having to " carry an unfair burden in securing credit card data."
Avivah Litan from Gartner is out with a new note titled "New PCI Security Standards Council Needs More Power". From the abstract: "The Payment Card Industry Security Standards Council's newly elected Board of Advisors will help to improve stakeholder communication. But the advisors need voting power and expanded authority to resolve problems."
Shift4 Corporation has announced new technology for current and legacy point-of-sale (POS) systems that, when used with Shift4's $$$ ON THE NET(r) gateway, removes all useable personal credit card data at the POS terminal, in back-office data storage and during all data transport. » Continue Reading
Tim Landis reports for the Springfield, Illinois Journal Register about a local restaurant's data breach resulting in reissuance of a number of debit cards. The comments at the bottom of the story reflect some of the consumer frustrations associated with this kind of event.
The PCI Security Standards Council (PCI SSC), an independent industry standards body providing management of the Payment Card Industry Data Security Standard (DSS) on a global basis, has announced the results of elections for the PCI SSC Board of Advisors. The Board of Advisors will represent the current roster of nearly 200 PCI SSC Participating Organizations and provide feedback to the ongoing enhancement of security standards managed by the Council. » Continue Reading
NOVA Information Systems has announced a data security compliance program to help "Level 4" merchants comply with the Payment Card Industry Data security Standard (PCI DSS). According to the PCI DSS, Level 4 merchants are defined by processing fewer than 20,000 e-commerce transactions and/or fewer than 1 million Visa or MasterCard transactions annually. NOVA currently processes for more than 850,000 merchants in North America, most of which meet the Level 4 criteria. » Continue Reading
The PCI Security Standards Council (PCI SSC), an independent industry standards body providing management of the Payment Card Industry Data Security Standard (DSS) on a global basis, has announced that it has implemented formal channels for stakeholders to contribute to the organization and development of data security standards. » Continue Reading
On Friday, the Wall St. Journal published a front page story by Joseph Pereira about the TJX data breaches that he says began about two years ago outside a discount discount clothing store near St. Paul, Minnesota.
Sarah D. Scalet writes for CSO Magazine about the Payment Card Industry - Data Security Standard (PCI-DSS) standard - calling it "corporate America's most ambitious effort yet to prove that it can self-regulate."
CyberSource has announced enhanced "global payment capabilities, expanding the international payment reach of its eCommerce merchants and simultaneously adding anti-fraud and security measures." According to the company, a single connection with CyberSource now provides access to payment processing services for cards, direct debits, and bank transfers in over 190 countries - including new fraud screening capabilities to manage online payment risk across different international markets and secure payment data storage allowing merchants to transact globally without storing sensitive payment data on their networks. » Continue Reading
Ross Kerber reports for the Boston Globe that a group of New England banks is preparing to sue TJX Companies over the recent payment card data security breach at the retailer. According to Kerber, they intend to "seek tens of millions of dollars in damages from TJX."
RSA has announced "an expanded Payment Card Industry Data Security Standard (PCI DSS) Solution portfolio, a suite of products and services that help enable customers to answer the most challenging IT security technology challenges associated with the PCI DSS. As part of the RSA PCI Solution, RSA also announced a new blueprint for promoting compliance by discovering data and infrastructure, assessing risk, enacting remediation and ensuring sustained controls." » Continue Reading
Robert Westervelt reports for SearchSecurity.com on comments made by First Data's Chief Information Security Officer Phil Mellinger regarding the Payment Card Industry Data Security Standards (PCI DSS) in which he calls for "an overhaul to eliminate subjectivity and ease restrictions to get more merchants to meet the standard."
Mark Jewell, Business Writer for AP, looks at the same store sales figures reported by data breach victim TJX Companies that "reported sales at stores open at least a year rose 6 percent in March." Jewell reported that "customers leaving a T.J. Maxx store Thursday in Boston's Downtown Crossing shopping hub said the retailer's cut-rate prices on clothing and home goods are a big enough draw to offset any worries about lax data security. They said they didn't see TJX as any more susceptible to such theft than any other retailer." One recent consumer survey concluded that data breaches would matter to consumers and affect their decisions as to where they shop.
RSA has released findings from a survey "polling North American businesses impacted by the Payment Card Industry (PCI) Data Security Standard (DSS), a framework of best practice requirements for all organizations that collect, process or store credit card account and transaction information." » Continue Reading
Javelin Strategy & Research has published a new report on data breaches - examining consumer attitudes and the TJX security issue. The study concludes that "77% of consumers intend to stop shopping at merchants that suffer from data breaches. Retailers and merchants are viewed by 63% of consumers as the least secure when protecting consumer’s data, compared with processors (16%), card networks like Visa or MasterCard (5%) and issuers (5%). When little is known about a data breach, half of all consumers automatically consider the merchants where they shop to be at fault. However, 85% will reward merchants who are perceived as security leaders with increased purchases." » Continue Reading
Evan Schuman reports for eWeek's Channel Insider on more details about the recent TJX payment card data breach.
Jenn Abelson reports for the Boston Globe on the TJX data breach reported earlier - saying the breach involved "at least 45.7 million credit and debit card numbers" stolen over a period of several years. The data was provided by the company in a 10-K annual report filing with the SEC yesterday.
Forrester's Khalid Kark and Chris McClean have published a new report titled "The Top 10 Things You Should Know About PCI Compliance" saying that "compliance levels remain low because the consequences for noncompliance weren't clear. Lately, however, the credit card companies have been threatening their clients with severe punitive consequences for noncompliance, including fines or loss of privileges to use their brands. As many companies scramble to get compliant after an initial period of inattentiveness, here are the top 10 things they need to know."
Robin Sidel reports for the Wall St. Journal on steps being taken by Visa USA, MasterCard, and merchant processors to crack down on restaurants "for not adequately protecting diners' credit-card data from thieves." SIdel reports that "since January 2005, restaurants represented about 40% of incidents in which intruders gained unauthorized access to credit-card information, according to data tracked by Visa. That is the largest percentage of incidents among merchant groups."