Tag Archives: PCI

New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.

For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).

Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.” Continue reading New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

PCI Guide for Small and Medium-Sized Businesses

PCI SSC

Small and medium-sized businesses are getting a helping hand towards PCI compliance. The PCI Security Standards Council released a new resource to help small and medium-sized businesses defend against hackers.

PCI Compliance Issues

Most small and medium-sized businesses have no clue how to comply with the PCI standards. Many rely on their point-of-sale vendors to keep up with cybersecurity.

Often compliance with PCI and implementing EMV is just too expensive. The new chargeback incentives haven’t had the effect on merchant compliance that the industry hoped.

Many small and medium-sized businesses still think data breaches are only a problem for the big guys – the big box store retailers and brand name merchants hitting the headlines after a breach. However, the truth is cybercriminals are targeting smaller merchants.

When cyber criminals compromise a smaller merchant and post the pool of cardholder data for sale, it’s more difficult to determine a common point of purchase than with a larger client. If the merchant doesn’t realize it is common point of purchase, vulnerabilities remain in place opening the door for a later attack.

Easy-to-Use PCI Guide

Taking all of the issues above into account, the PCI Council is trying to address some basic things smaller merchants can do to make the most impact and bolster their security defenses.

The resource they published is a 26-page tutorial – Guide to Safe Payments. The guidance is geared towards helping merchants assess their areas of risk and determine which security improvements will be most effective.

The new resource is NOT a list of requirements. It is guidance with easy-to-understand language and infographs. It describes emerging attacks and the expense level to mitigate the risk of those attacks.

Key Takeaway

The payment card industry as a whole seems to be catching on to the difficulties associated with compliance. Overall, this looks like PCI Council’s best guidance for companies without a dedicated security team.

The general idea is to provide companies with easy, cost-effective ways to bolster their security defenses. If you’ve felt the struggles of complying with the rigid PCI standards, this guide is a friendly place to find some first steps.

PCI Guidance: Responding to a Data Breach

The Payment Card Industry Security Standards Council (PCI SSC) released guidance for merchants and service providers to help in preparing to respond to an incident and engaging a Payment Card Industry Forensic Investigator (PFI). To find a list of pre-approved PFIs, visit the PCI SSC website.

Join the next ePlace Solutions webinar: PCI Readiness – Solidifying PCI Scope of Compliance Risk, to gain a better understanding of the PCI DSS requirements and how to best prepare for compliance. The webinar is October 28th at 10:30 AM PT / 1:30 PM ET, free of charge.

Preparing for the Worst

The PCI SSC recommends that organizations prepare for the worst when it comes to incident management. The guidance provides 5 key points to address when putting together an incident management program.

1. Implement an Incident Response Plan

The retail industry has seen a plethora of cardholder data breaches in recent years. Organizations need to be prepared for what seems to be the inevitable data breach. An Incident Response Plan is a crucial step in preparing for an incident.

PCI DSS provides guidance in Requirement 12.10: Implement an incident response plan. Be prepared to respond immediately to a system breach.

According to PCI DSS, an effective incident response plan should include:

  • Roles, responsibilities, and communication strategies in the event of a compromise (i.e. notifying payment brands of an incident)
  • Specific incident response procedures
  • Business recovery and continuity procedures
  • Data backup processes
  • Analysis of legal requirements for reporting an incident

2. Limit Data Exposure

When responding to a security incident, too often organizations will impulsively shut down the infected systems and ruin any evidence that existed. Simply turning off a system could potentially delete key evidence in the investigation, as well as tip off the attackers that they’ve been detected.

Minimizing data loss while simultaneously preserving evidence is essential. The incident response team should ensure they have the capability to isolate an infected system without turning it off. This helps keep the attackers away from other potentially sensitive areas of the network and allows the forensics team to investigate the situation.

3. Notify Business Partners

An effective response to a security incident involves notifying the proper parties. Organizations should have a communications strategy that contains all parties and contact information that is necessary in the event of a security incident. Potential parties might include payment card brands, merchant banks, or other entities that require notification by contract or law.

4. Manage Third-Party Contracts

Third-parties represent a security concern for many organizations. Oftentimes third-parties have access to an organization’s network and systems for business operations. However, the protection of data and information ultimately falls on the data controller.

Having language to address the vendor’s data security policies and procedures, as well as their incident response management, is a key component to preparing for an incident. As the data controller, provisions to keep the third-party accountable are essential to ensuring the best protection of data and information.

5. Identify a PFI

Organizations should identify and establish a relationship with a PFI before an incident occurs. PFIs will often offer their services on retainer so the relationship exists and they are only a phone call away when you need them.

When engaging with a PFI, it’s important to understand their role in the incident management process. There are several things to consider when performing due diligence on potential PFIs for the organization.

PFIs are required to be independent of the organization they are investigating. There should be no other existing relationships with the PFI. The organization’s Qualified Security Assessor is not allowed to conduct the investigation. In addition, other third-parties representing the organization, like a public relations consultant, should not be interfering with the investigation. PFIs’ investigations must be completely independent.

The purpose of the PFI is to investigate the root cause and scope of the intrusion. PFIs will compile their findings into two reports: a PFI Preliminary Incident Response Report and a PFI Final Incident Response Report. It’s important to realize that the investigation and reports are not PCI DSS assessments and will not determine compliance with PCI DSS.

PCI Security Standards Council Publishes Terminal Software Security Best Practices

The PCI Security Standards Council announced the publishing of “Terminal Software Security Best Practices”. The document provides detailed guidance on the secure development of software designed for point-of-interaction devices. It emphasizes the importance of a layered approach to security.

The goal is for this new guidance to aid organizations understand potential threats and implement measures to counter those threats. This guidance can be used to help ensure standard secure coding practices are followed.