Professor Ross Anderson is leading a study into the Chip and PIN system’s potential to protect the data and finances of its users. He and his team have concluded that there is a fatal flaw, which could leave millions exposed to fraud, data loss and monetary theft.

Prof. Anderson has since stated that the payment card industry within the UK is now attempting to silence him and prevent his research from becoming more widely known, in what is a fairly serious series of accusations.

UKCA (UK Cards Association) allegedly sent a letter to Cambridge University, in which it requested that the study’s findings were not published on the internet.

The researchers found that it is possible to make purchases using a portable device even if you do not enter a PIN number which is correct.

Prof. Anderson constructed a blog post and explained in detail the way in which UKCA had attempted to prevent the publication of this damning evidence, which shows the Chip and PIN system is far from totally secure.

UKCA chair, Melanie Johnson, has been reported as saying that the researchers were acting irresponsibly in her opinion, after publishing the findings which could give criminal groups a new way of exploiting payment card users.

The main issue which security experts seem to have with Chip and PIN systems and the bodies which endorse their use, is that they are often treated as completely impenetrable. In turn, the banking sector is thought to perceive research into weaknesses in the system as necessary, but the publication of the resultant details an unhelpful conclusion to proceedings.

Prof. Anderson said that this research will be followed by further indictments from other studies, increasingly the likelihood that the payment card industry will react negatively in the future.

Reports from the Press Association, claim that the UKCA admits sending a letter to the university, but only with the intention of questioning the publication of details that explain how Chip and PIN security can be circumvented.

Chip and PIN security questions cause trouble for researchers is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

This news has come as a result of research carried out by LogLogic, which discovered that 13.8 per cent of retailers do not have any knowledge of the second edition of the PCI DSS and a further 15.5 per cent stated that their understanding was incomplete on the subject.

This leaves close to a third of the market in virtual darkness when it comes to payment card security, a fact which many experts find troubling.

Further questions in the study found that just 36 per cent of retailers are aware that the new PCI DSS requires major alterations and revisions of previous regulations, relating to the networks which handle payment card transactions within a given business, along with any virtualisation services used.

Auditing by the payment card providers was also considered in the survey and a majority of respondents said that they were being audited with increasing regularity when compared with previous periods.

PCI DSS version 2.0 was published in 2010 and LogLogic chief executive, Guy Churchward, explained that there is a worrying lack of understanding or, in some cases, basic knowledge about the new PCI DSS rulings and how they can apply to UK retailers. As a consequence, he believes that many need to implement changes to their own systems in order to comply with the standard.

Mr Churchward said that becoming compliant with the PCI DSS was not a single act but required constant monitoring and auditing, to ensure total data protection and compliance. He said that businesses who meet these requirements will be able to instill clients and customers with confidence.

Half of respondents to the survey said that the new PCI DSS was a positive influence and potentially valuable to their business. Close to a fifth said that they would use PCI DSS rulings to secure investment in up to date security systems.

UK retailers questioned over PCI DSS compliance is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

Over 10,000 users of MasterCard were allegedly affected by the data theft, although the veracity of the published details was quickly denied by a spokesperson for the payment card firm, who claimed that the group of hackers, known by the name Anonymous, had faked the leak in order to stir up trouble and gain publicity for their cause.

While the card details may have been false, the implications are serious and the group has been undeniably successful in its aims of causing widespread problems for corporate entities, through the use of distributed denial-of-service (DDoS) attacks.

MasterCard’s rival payment card firm Visa has also come into the firing line and now the group has set its sights on net transaction site PayPal, because it stopped accepting donations towards whistle-blowing website Wikileaks.

The leaked payment card details included card numbers and expiry dates but among the 10,000 listings there were no cardholder names or personal details.

What gave the leaked data away as fake was the fact that none of the alleged card numbers provided by the hackers began with the number five, which MasterCard spokesperson Chris Montero said was a common feature of all its payment cards.

Security expert, Claire Sellick, said that because attacks against sites linked with the Wikileaks scandal would continue it would be necessary for these major corporate entities to shore up their defences and limit the impact of DDoS.

It is recommended that these firms separate the provision of their internet service amongst multiple firms and harness different telephone exchanges rather than a single local option as this will make it virtually impossible for a focused DDoS attack of the kind that has been experienced in recent weeks.

Many are calling for businesses to limit the spread of private data so that it can be kept secure from prying eyes. It is also held that these first attacks by a collaborative, non-governmental hacking force show that cyber warfare can be a tool for any cause.

Hackers supporting Wikileaks distribute phoney MasterCard details is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

The development of PCI DSS 2.0 involved many industry bodies and is intended to help improve the level of security relating to payment card transactions made across the world, from debit and credit cards.

The PCI DSS will be finally implemented from the start of 2011, adding new penalties to the list of punitive measures that firms will face if they fail to adhere to its security rulings.

Security expert, Ron Gula, said that it is in the interest of businesses to take onboard the PCI DSS and use it as a foundation for future policies relating to network security and data loss prevention.

Mr Gula explained that the PCI DSS will not necessarily ensure security and so minimal compliance is less desirable than actually stepping up preventative measures to a greater degree than is required. Complying with the PCI DSS is seen as a good way to limit the impact of downtime and recover after a breach, according to Mr Gula.

Imperva’s Amichai Shulman, said that businesses and organisations can better support their wider security infrastructure by adhering to the PCI DSS. He explained that investment in added security would not just ensure that businesses were in line with its recommendations, but would have a wider ameliorating effect on an operation as a whole.

Earlier in 2010 a survey by Redshift Research found that a little over a tenth of UK groups dealing with payment card transactions actually complied to the previous PCI DSS. As a result many industry experts are welcoming the updated regulations and believe that the sooner they are here the better businesses will be able to ensure data protection.

There are many urging businesses to work with PCI DSS compliance rather than see it as a hindrance. Building strategies which allow for ongoing adherence to its rulings are seen as the most sensible routes to a more secure future.

Updated PCI DSS rated by security experts is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

Verizon commissioned the study and said that those firms who exhibited a willingness to comply with the PCI DSS, were much less at risk of security breaches and data loss than those who were failing to meet with the expectations of the regulators.

The results of the study confirmed that of the businesses who had seen their systems breached, there was a 50 per cent greater chance of it occurring if noncompliance was noted.

Twenty-two per cent of firms which handle payment card data were found to be inadequately prepared and failed to meet the stringent requirements of the PCI DSS. However among these there were still many businesses which had in place the necessary measures to match the PCI DSS’ most significant rulings.

Seventy-five per cent of respondents to the study were found to have complied with around 70 per cent of the PCI DSS requirements.

Verizon surmised that although compliance can be patchy and inconsistent, the areas in which it is most lacking are those that expose firms to the greatest threat of data loss. Many firms showed that they could not actively record the individuals accessing the network. Issues such as failing to regularly test the strength of security of payment card transactions and data storage were also common.

Experts believe that many firms which fail to comply with the PCI DSS should review their policies and set in place systems which will allow them to stay within the remit of the regulations over a long period, rather than as a one-off blitz to improve security that will not be effective over time.

Verizon’s Peter Tippett said that the study was intended to act as an incentive for businesses to review the PCI DSS and tweak internal policies to ensure compliance.

PCI DSS noncompliance causing lapse data security is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

The PCI Security Standards Council announced that it would be reviewing the current standards and making amendments, although it confirmed that businesses would not need to take additional action once a decision is reached.

The council published a report as to how the threats to the payment card industry have changed and evolved in the recent past and explained how this would be reflected in the revamped PCI DSS.

A variety of industry areas are covered by the PCI DSS and the first set of changes are to be instigated by October, with alternations to PIN security on cards. The PCI Security Standards Council said that it was preparing those who would be affected by the changes as the launch date draws near.

The buzzword surrounding the updated PCI DSS is flexibility and the council believes that businesses, financial institutions and PCI suppliers will be able to scale their operations and defences to match the severity of the threat, in addition to having access to improved tools for reporting and detecting vulnerabilities.

Significantly, there will be no additional obligations enforced as a result of the PCI DSS revision, with a greater emphasis on the allocation and appreciation of responsibility.

The council’s Bob Russo said that the fact that the update was only going to make small adjustments to the current PCI DSS underlined the robustness of the existing security standards.

Mr Russo went on to say that the council was giving organisations plenty of notice ahead of the changes in order to accommodate any necessary alterations or updates to policy and systems.

Further to updating the PCI DSS, the council is set to chair events at which key groups will be able to express their opinions and become involved in the process of formulating future security strategies.

PCI DSS under review is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

PCI DSS is being instigated by Visa from the start of July. As a result, the electronic point of sale (EPOS) and online retail sites operated by many of the smaller enterprises in the UK could come under scrutiny and be deemed inadequate under the new rules.

Larger businesses have until the end of September to ensure compliance with PCI DSS as the process of converting outdated systems is perceived to be lengthier and more complex within organisations of significant size.

Regulators have divided businesses into multiple tiers in order to separate out those businesses dealing with the most significant volume of transactions annually from those responsible for the least. The first tier businesses are the largest, with six million or more payment card transactions channelled through them annually, while the fourth tier enterprises experience less than 20,000.

Experts believe that Visa will start issuing fines to firms that have not ensured complete compliance as soon as the rules come into effect for that particular tier.

The acquirer will be fined by the payment card firm and these fines and associated costs will be passed onto the non-compliant business, according to Barclaycard’s head of security, Neira Jones.

Smaller firms from tiers two to four are encouraged to ensure complete PCI DSS compliance, because any breach will not only result in direct fines, but may also move them up the pile to be considered alongside tier one firms and their associated charges, which could have a long lasting impact according to data security expert Mathieu Gorge.

Some believe that smaller firms are being penalised under the new system, with security advisor John Walker suggesting that the limited understanding and explanation of PCI DSS rules to lower tier UK businesses could result in fines and poor treatment for those who unwittingly break the new regulations.

PCI DSS compliance heads for UK in July is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

Gillespie identified the current confusion surrounding the application of and adherence to PCI DSS. Since its introduction in 2004 a number of big name brands have incurred fines for improper protection of cardholder data. The highest profile case occurred in 2007 when high street chain TK Maxx was penalised for a lack of adequate safeguards in its payment card system.

Gillespie utilised statistics taken from a recent study carried out by the Ponemon Institute and independent research organisation Impervia. Of all the companies within the scope of PCI DSS, 71% do not invest in a security strategy for cardholder information. That 79% of companies questioned had in fact experienced a PCI-related breach suggests that much improvement is needed.

The statistics illustrate that it is the smaller companies, employing less than 1000 people that are least likely to conform to PCI DSS recommendations. Since a vast majority of the global economy is driven by these smaller businesses, the importance of universal PCI DSS conformity becomes clear.

Gillespie went on to suggest that the general reluctance to recognise PCI DSS would change over the coming months and years. With credit card companies such as Visa promoting the importance of PCI DSS compliance, a wider understanding and appreciation of the rules is gaining momentum. An October 2009 awareness campaign by Visa prompted financial giants HSBC to better explain PCI DSS to customers.

Gillespie concluded that both virtual and physical security is required to ensure the effectiveness of PCI DSS and thus the relegation of its implementation to IT departments will compromise its impact. Whilst PCI DSS compliance can prove to be financially challenging for smaller enterprises, it is hoped that co-operation and cohesion will eventually lead to safer, secure transactions for customers and less embarrassment for firms governed by the guidelines.

The importance of conforming to PCI DSS is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

Trustwave, a computer security firm, conducted its 2008 audit of Heartland on April 30 and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card-track data from Heartland’s network, and continued doing so for months before being discovered.
[ http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/ ]

The fact that some, if not all, of the companies involved in this fraud case were PCI DSS compliant before the attacks sparked questions about efficacy of PCI regulations. Steve Dauber, vice president of marketing at RedSeal, noted that PCI audits are only the beginning. 

“PCI is actually a pretty reasonable set of basic security recommendations,” he said. “The problem is that businesses mistake passing a PCI audit with being PCI compliant.  Audits aren’t comprehensive by nature— they will never catch every potential error in implementation. More importantly, audits occur at a point in time, but your IT infrastructure changes constantly.  So even if you do pass your audit, you may fall out of compliance the next week. If you want to benefit from PCI, you need to maintain compliance both comprehensively and continuously”.

Comprehensively and continuously? That is easier said than done.

I believe there is a bigger and more potentially widespread exposure that needs to be addressed

Let’s assume for a moment that these businesses had successfully secured their networks to prevent the hack in the first place. What about securing the backup strategy relating to this critical data ?

Data backup is one area that has received little or no attention in PC DSS Compliance discussions. In fact even the PCI DSS Compliance checklist makes little or no reference to what backup responsibility businesses have.

Here is the dilemma. A PCI DSS Compliant business must maintain a secure network (Requirement 6). All businesses must implement a robust data backup strategy, which involves geographical separation between production data and backup data. The minute the data is copied onto a tape or disk – which leaves the secure network – it is immediately at greater risk.

I believe that PCI DSS Compliance should add an additional requirement to the existing 12 to ensure businesses have a secure backup routine as well as a secure network.

This would be PCI DSS Compliance Requirement 13. Number 13 – unlucky for some – especially those who are still using unencrypted backup systems to protect their data

http://www.backup-technology.com/hsbc-fined-3000000-for-data-breaches/

Using encryption and online backup would ensure data was protected securely. It is a question of good business practice, not PCI DSS Compliance checklists, that should encourage this safer backup strategy.

Is PCI DSS Compliance effective? Not without Requirement 13 is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.

It’s requirements are far reaching – here is what your business must do:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Here is the major conflict companies currently have. A robust, offsite backup routine requires data to be stored in a geographically separate location to the source data. This is no different for a PCI DSS compliant business.

Business Example

You run a business that carries out many card transactions daily with all the major card suppliers such as Mastercard and VISA. You are already aware of PCI – DSS and have invested heavily in your network security, and have established a strong firewall to protect your customer data. You have also taken steps to meet the other requirements.

Current Backups

Your legacy backup solution involves taking a daily copy of all data onto a tape or disk. Neither the tape or disk is encrypted – so PCI DSS says you should not even copy the data, let alone take this data offsite.

Warning: The minute this tape or disk is taken offsite you have broken PCI -DSS compliance

How Online Backup Can Help

A Secure Online Backup Service will make your business completely PCI DSS compliant. Your nightly backups will be transmitted securely using strong encryption, and will be held offsite in a secure data centre in encrypted form. At no stage can anyone access your raw data. In the event of a restore being required, you use a simple GUI interface to highlight the files that have been lost, and the files are transmitted back to your network – completely encrypted. Only when the backup data is within my firewalled network will the encryption be unravelled.

Backup Technology already protect many major retailers such as LK Bennett as part of our PCI – DSS compliant online backup service. Please visit www.backup-technology.com for more information

PCI – DSS Causing Backup Nightmares for Merchants is a post from Backup Technology's Blog. Contact us today for further information on our Online Backup and Business Continuity services.