Website Verification

Learn about how you can make your website secure and safe for your customers

  • Website Verification Poll

  • Mybloglog

    Join My Community at MyBloglog!
  • Check out my website verification online magazine:

  • Add my blog to:

    Add to Technorati Favorites

Posts Tagged ‘pci’

What’s Wrong With The PCI DSS?

Posted by websiteverification on May 14, 2009

There has been a lot of criticism regarding companies following the PCI DSS as there only form of security. While it is important to have other options for security, following the PCI DSS does work!
clipped from www.tripwire.com

There’s nothing wrong with PCI DSS that cannot be cured by following it

I continue to hear comments that PCI DSS doesn’t work and that it should be modified or even eliminated.
find it interesting that so much fault can be leveled at PCI DSS in light of the facts that Verizon Business puts forth in their 2009 Data Breach Investigations Report. Here are some of their findings after investigating data breaches that compromised 285 million records in 2008 alone:
 81% of the victims were not PCI compliant
The last point—81% of the victims were not PCI compliant—speaks volumes about the spirit, intent and effectiveness of PCI DSS …. if it is treated as security best practice and followed on a daily basis rather than treating it as a checklist that must be passed annually. Until each of the above percentages changes dramatically, I think PCI DSS should be seen as a good security best practice to follow continuously.
Posted by Ed Rarick
  blog it
Advertisements

Posted in pci compliance, website verification | Tagged: , , , , , | 1 Comment »

PCI DSS Fines

Posted by websiteverification on April 28, 2009

Ok, so we all know about the PCI DSS (Payment Card Industry Data Security Standards) by now. But some of you may be wondering what the PCI DSS fines are if you do not become compliant. The fines can be pretty steep as I will explain below, but not only will you risk huge fines if you aren’t compliant, you are putting your security system and customer information at risk.

All businesses who store, transmit or process credit card data are required to follow the PCI DSS, and should have become PCI compliant by the end of 2007. If you are one of these businesses and are not yet compliant, you are constantly at risk of losing sensitive cardholder data, which will most likely result in PCI DSS fines, legal action and bad publicity. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data.

High-status cases concerning big corporations have hit the headlines in the last couple of years. The Payment Card Industry has threatened huge fines against some larger merchants of up to $25,000 per month until compliance is obtained. In the high-profile case of TJX (owner of T.J. Maxx, Marshalls, Home Goods and A.J. Wright retail chains), the company reported spending $202 million because of the PCI violation that compromised the cardholder account information of as many as 40 million customers. The money is being spent to handle more 20 lawsuits brought against it by banks and consumers in the U.S. and Canada and to pay settlements with credit-card associations.

So don’t risk it. If you are not yet PCI compliant get there now. It is not as hard as it may seem, and well worth the time and money you put into it. If you don’t want to risk those pesky PCI DSS fines, you know what to do!

Posted in pci compliance, website verification | Tagged: , , , , , , , , | 4 Comments »

Are you PCI Compliant?

Posted by websiteverification on January 24, 2009

What does it mean to be PCI compliant? Many people find the subject confusing and overwhelming. Nevertheless, PCI compliance is super important. It used to be optional for smaller businesses, but with hackers becoming more clever and bold, it is required for all merchants who process credit card transactions no matter how few, to become PCI compliant.

Not only is it important for businesses to be PCI compliant, but it is important that they become PCI compliant as quickly as possible, in order to respond to the increasing concern of credit cardholders about their security. Here a few steps to follow in order to get you started with PCI compliance.

First, determine your merchant level. All merchants fall into one of four levels as defined by the number of transactions the business processes over a year. For example, a level 4 merchant is classified as a business that processes fewer than 20,000 transactions per year, and is the most common small business merchant level. Once you know your merchant level, you will know more about exactly what is required of you.

Next, you should complete the PCI DSS Self Assessment Questionnaire (SAQ). The SAQ is a tool used to assist merchants and service providers in evaluating their compliance.

Finally, you should appoint a qualified vendor to perform the required network scans of your system in order to check for vulnerabilities. This is known as PCI scanning, and Trust Guard now offers this. I have found that they are really affordable compared to other companies, and not only that, they also offer third party verification and trust seals.

These are just a few of the steps you can take to get started with your PCI compliance. You will want to check with your acquirer or bank in order to find out more specific things you should do to become PCI compliant. It is super important, and will probably even attract more customers to your website as they will know that their information is safe. You can’t lose!

Posted in pci compliance, website verification | Tagged: , , , , , , , | 1 Comment »

The Importance of PCI Scanning

Posted by websiteverification on January 13, 2009

Lately I have been doing a lot of research into PCI scanning and PCI compliance. It can be quite a confusing subject with a lot of information that seems overwhelming. I would like to share with you just same basics that I have found about PCI scanning so you might have some of your own questions answered.

You are required to follow PCI compliance if your business or website is processing, receiving or storing credit card information in any form. PCI Scanning comes in as part of this compliance. PCI scanning is when an approved scanning vendor scans IP addresses that the public has access to that have to do with your website or the transaction process.

The type of PCI scanning and whether or not you need it depends on which merchant level you belong in. There are four different merchant levels, and basically, only one of these levels gives you the option to have PCI scanning, and even then there are additional things you need to look at.

So what it basically comes down to is that PCI scanning is important. Whether it is required of you or not, it is definitely a good idea. The best way that you can gain more customer trust is by being PCI compliant.

One company that I found to be efficient and affordable is Trust Guard. They offer quarterly and daily PCI scanning and loads of information about becoming PCI compliant. The best thing about Trust Guard is that they also offer trust seals so that your customers will know that you have completed the PCI scanning and are up to date. When a customer is sure that they can trust your site with their personal information, they will be sure to come back time and again. This will result in more sales for you.

The topic of PCI scanning can be a bit complicated, but hopefully this article has helped answer a few questions. PCI scanning is important and is definitely worth looking into if you own or are planning on owning a website that processes credit cards.

Posted in pci compliance, website verification | Tagged: , , , , , , , | 1 Comment »

PCI Compliance

Posted by websiteverification on January 7, 2009

You may be wondering exactly what it means to be PCI compliant. I have been wondering the same thing, and so I have been doing a lot of research on the confusing subject of PCI compliance. Allow me to give you the basics about what I have learned.

First, PCI DSS stands for Payment Card Industry Data Security Standards. These are technical and operational requirements that were created by the Payment Card Industry to help businesses that process card payments prevent credit card fraud, hacking and other security vulnerabilities and threats. These standards are part of your merchant agreement that you sign when you choose to process card payments. In order for a business to be PCI compliant, they have to meet each of these requirements.

The 12 requirements of PCI Compliance are:

  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor supplied defaults for system passwords and other security parameters.
  3. Protect stored data.
  4. Encrypt transmission of cardholder data and sensitive information across public networks
  5. Use and regularly update anti virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

Second, in addition to these 12 requirements, you most likely will be required do have quarterly or daily scans of your site performed to protect it from vulnerabilities. PCI Scanning entails having an approved scanning vendor (otherwise known as an ASV) scan any IP addresses that the public has access to that have to do with your website or the transaction process.

Last but not least, you should check with your acquirer (an acquirer is the company with whom you signed up with to process cards) to find out any more specific requirements that may be expected of you. If you are confused or unclear about your liability as a merchant, verify it with your acquirer to find out what they require from you to be PCI compliant.

One company that I found to be affordable for PCI compliance and scanning is Trust Guard. They are now offering PCI Scanning as a new service starting January 1, 2009.

Posted in pci compliance, website verification | Tagged: , , , , , | 2 Comments »