Does Your Business Need to Be PCI DSS Compliant?

Despite increasingly heightened security by merchants and service providers, credit and debit card fraud is still on the rise. Perpetrators are using even more sophisticated methods of infiltration to access sensitive payment card information. The financial cost of fraud to any sized corporation can be huge and the price of preventing it is vast.

Any company which stores, processes or transmits payment card data bearing the logo of the five major payment companies has to comply with the Payment Card Industry Data Security Standards (PCI DSS). These five companies include American Express, Discover, JCB, MasterCard and Visa. These standards were devised in 2004 to provide a common set of industry tools for the storage of payment card data in order to prevent, detect, and react to security incidents.

As well as merchants or banking institutions, compliance is required by any third party who accepts or processes payment cards. This includes call centres who receive cardholder data which they are unable to delete. If merchants use payment gateways to process transactions on their behalf, compliance is not required but they must ensure contractual obligation from the third party that they comply with PCI DSS and are responsible for the security of cardholder data.

Fines for non-compliance or security breaches can be huge, reaching $500,000. High profile cases involving huge corporations have hit the headlines. Some card brands have threatened huge fines against larger merchants of up to $25,000 per month until compliance is obtained. In severe cases, they have even threatened to remove the ability to process credit card payments, which could be economically fatal for any merchant.

While Visa reports that the majority of security breaches occur in small enterprises, any company that stores, processes, or transmits card information has to comply with a strict set of guidelines. Although intended to create a global standard which protects both consumers and corporations alike, these guidelines can be time consuming, costly, and complex to implement. Corporations that require PCI DSS compliance are prevented from storing sensitive credit card information, including security codes, track data from the magnetic strip, and PIN numbers. Information which can be stored includes credit card numbers, expiration dates and customer details, but the method of storage needs to meet certain requirements.

How to obtain PCI DSS compliance

The recommended first step to obtaining compliance is to hire the services of a Quality Security Assessor, who can advise on steps needed to reach compliance as well as completing the official assessments required. Smaller companies that process less than 80,000 transactions per year are permitted to complete a self-assessment questionnaire.

Compliance covers 6 areas of security:

1. Construction and maintenance of a secure network - including installation of a firewall to protect cardholder data
2. Protection of cardholder data - including encryption during data transmission
3. Vulnerability management - with regular updates of anti-virus software
4. Access control - to prevent and restrict access to sensitive data
5. Regular monitoring and testing of networks
6. Maintenance of an information security policy

The latest updated guidelines for PCI DSS are due for release in October 2008.

The benefits of PCI DSS compliance

• Protection from PCI related fines if compliant at the time of breach
• Increased customer confidence in data protection
• Advice on how to remediate any data security risks
• Advice on how to prevent service providers from putting your business at risk from data security
• Increased protection from fraudsters
• Protection from unwanted negative media attention

With this said, there is no question as to why PCI compliant is as important as it is. It both protects the consumer and the merchant, making transactions considerably safer than they would be otherwise.

Managed Hosting provider for companies with applications that demand the highest levels of security and availability.

E-commerce Security - Issues and Controls

The internet facilitates open and easy communication across the globe, and has made e-commerce possible. However, because of its unregulated nature, it poses a threat to the security of e-commerce systems. Hence, as an e-business owner, you should be ready to address an array of e-commerce security issues.

Here are some of the common problems created by hackers:

• Denial-of-service (DoS) attacks that will prevent authorized users from accessing your website. If this happens too often, your customers will walk away.
• Gaining access to sensitive data such as price lists, catalogues and intellectual property, and copying, changing or destroying the same. Who hasn't been a victim of virus attack at some time?
• Altering your website. Unscrupulous rival companies might resort to such tactics in order to spoil your company's image.
• Directing your customers to another site. You do the hard work, and someone else reaps the benefits.

Hence, you should introduce adequate e-commerce security control measures to reduce the risk to your systems. But remember, these controls should not be so restrictive that they impact the efficiency of your business.

Authentication: This is the technique of positively identifying someone seeking to access your e-commerce system. This usually involves any or all of the following:

• Assigning a user name and password combination to registered visitors.
• Instituting a two-factor verification process that requires confirmation of information known only to authentic users. For example, asking for an authentication token and a personal identification number.
• Scanning a person's unique physical attribute such as a fingerprint or facial-feature.

Access control: In this type of control, access is restricted based on a need to know. This limits the number of people who can access a particular piece of information, and therefore reduces the risk of misdemeanor.

Encryption: This technique uses technologies like virtual private networks (VPNs) and secure socket layers (SSLs) to protect information that is being displayed on a computer or transmitted over a network. Companies like banks, which deal with sensitive information will most certainly encrypt data.

Firewall: This is either software or hardware that protects a server, network or computer system from attack by viruses and hackers. It is also a safeguard against user negligence. Many companies use the Kerberos protocol which uses symmetric secret key cryptography to restrict access to authorized employees.

Intrusion detection system (IDS): It inspects all inbound and outbound network activity and identifies any attempt being made to gain illegal access. If IDS suspects an attack, it generates an alarm or sends out an e-mail alert.

The importance of e-commerce security cannot be overemphasized. If your business strategy envisages the use of the internet, make sure that your systems are adequately protected. Books like "The Business of E-commerce: From Corporate Strategy to Technology" and "Security Becomes A Business Requirement For E-Commerce Companies" from amazon.com might be useful in order to deepen your understanding. You might also like to check out the e-commerce security products and services available at x-cart.com.

Hi, I'm Akhil Shahani, a serial entrepreneur who wants to help you succeed. If you like to work smart, check out http://www.SmartEntrepreneur.net . It's full of articles and resources to help you start and grow your business successfully. Please visit us & download our special "Freebie of The Month" at http://www.smartentrepreneur.net/freebie-of-the-month.html

"Ransomware" - Extortion by Encryption

Recently there has been a rash of reports of computers becoming infected with the Gpcode.ak virus, a new variant of an attack that surfaced a few years ago. Gpcode encrypts data on the affected computer's hard drive, plus any shares to which it has access. It leaves the basic system software alone (so the computer remains useable), but encrypts the user's data files. The encryption for the original version was cracked, making it easy for anyone to decrypt his or her own files, but this new version uses a 1024-bit encryption key. According to Kaspersky, this would take a relatively modern PC about 30 years to crack.

Affected users find a "README" file directing them to contact a specific email address for details on purchasing a "decryption tool" in order to recover their files. Sometimes the additional threat of publicizing confidential information is included in this ransom note.

However, because of a flaw in this version, it is currently possible to recover the encrypted files. Gpcode makes a copy of the files before encrypting them, and then deletes this copy. These deleted files can be recovered with file-recovery software that is widely available in both free and commercial offerings. Affected users should avoid rebooting their computers, and should not use them for anything else until they've recovered their files. This limits the risk of the deleted files being overwritten by other processes. This method of recovery is a temporary work-around - at best - because it has been widely publicized on the security forums, and it is only a matter of time before the virus authors add a step to wipe the deleted files from the disk.

It is unclear exactly how this virus spreads, but the vast majority of malicious infections come directly from spam email or from rogue web sites to which spam directs users. Therefore, minimizing one's risk of exposure to this virus means taking the normal precautions against any malware, such as keeping virus scanners and spam filters up to date, and having a clearly communicated policy about not following links in unsolicited emails (spam).

Try our award winning free anti virus protection for 30 days!

Christopher is an Information Security Consultant You are welcome to reproduce this article on Computer Security related web site, as long as you reproduce the article in full, including this resource box and link to our website.

Dirty Little Computer Viruses and How To Protect Yourself

Whether you have learned your lesson from a past experience with a nasty computer virus or have been pressing your luck by surfing the web and downloading various files or opening those email messages sent to you by people you don’t know without any real understanding of just how vulnerable you really are each time you log onto your computer you now have the opportunity to discover what steps you can take to avoid such an annoying and many times destructive infestation.

Listed below are some of the guidelines you can follow in order to keep those nasty viruses from making a mess out of your computer and your life.

•Purchase and install a well respected antivirus software program and be sure to set it up so that it automatically runs when the computer starts up each time.

•Make sure to keep your antivirus software up to date by either using the automatic update feature that many come with or make it a habit to manually check at least once or twice a week for updates on your own.

•Set your antivirus program to scan for potential viruses each time you open a word-processing document like the ones that get sent through email. Viruses found in word-processing documents are called Macro Viruses.

•When purchasing software make sure to only buy from vendors that are well known and from ones you trust.

•Resist swapping data with the use of floppy disks or other mobile storage devices between various computers. If exchanging programs between computers is unavoidable just make sure to scan the storage device(s) for viruses before transferring data from one computer to the next.

•If using floppy disks to transfer data make sure to format them before using them for the first time.

•Never use pirated software. This is both illegal and a very good way to invite an unwanted computer virus.

•When downloading software from the internet do so as little as possible. There are many neat programs available on the internet, but unfortunately there are many viruses that go along with them also.

•If you must download programs from the internet ALWAYS scan them for viruses BEFORE opening them up to install on your computer.

•Probably the most important and neglected method of disaster recovery are periodic backups of all important files found on your computer. Should a virus happen to get through your lines of defense you may need to replace the virus corrupted files with fresh ones that have been kept for such an occasion.

Finally, it is not guaranteed that if you follow the above steps that you will not be the victim of a computer virus, but you can sure bet that if followed you will greatly reduce the chance of being an unsuspecting recipient of such an unwanted program.

Dan devotes much time working on his internet ventures. He currently has a T-Shirt store at http://www.cafepress.com/giftsandtshirts and an ebook store at http://infoheaven-digital-books.com that caters to his visitors.