May 28, 2008

Security Whitepapers - PCI DSS overview and ATM security

With recent incidents regarding retail systems data insecurity, here is nice overview/whitepapers on just those topics (albeit with Solidcore slant). PCI DSS standards are covered in the overview and then there is whitepaper from NCR on how they secure their Aptra systems.

Identity theft and credit card fraud is a large and growing problem. The Federal Trade Commission estimates that almost 10 million consumers were affected last year, at a cost of close to $50 billion. In order to combat this growing menace, Visa, MasterCard, American Express, Diners Club, Discover and other major credit card providers have joined together to introduce a compliance standard - the Payment Card Industry (PCI) Data Security Standard. The standard unites and supersedes the individual compliance standards such as Visa’s CISP and MasterCard’s SDP standards.

Fundamental PCI Requirements

1 Install and maintain a firewall configuration to protect data
2 Do not use vendor-supplied defaults for passwords and security parameters
3 Protect stored cardholder data
4 Encrypt transmission of cardholder data and sensitive information across public networks
5 Use and regularly update anti-virus software
6 Develop and maintain secure systems and applications
7 Restrict access to data by business “need to know”
8 Assign unique ID to each person with computer access
9 Restrict physical access to cardholder data
10 Track and monitor all access to network resources and cardholder data
11 Regularly test security systems and processes
12 Maintain a policy that addresses information security

PCI Compliance Transaction Thresholds & Levels

Credit card issuers divide its merchants into four levels based on the number of transactions processed every year, as shown in the table below.

Merchant Level No. of transactions

Level 1 > 6 million
Level 2 150,000 – 6 million
Level 3 20,000 – 150,000
Level 4 < 20,000

Each level is subject to a different set of compliance activities, with the strictest rules applied to level 1 merchants. In addition to transaction volume, any merchant that suffered a hack or an attack that resulted in account data compromise will automatically be required to meet level 1 compliance requirements. Further, the card issuer may, at their discretion, require any merchant in its network to meet level 1 requirements. In view of this, Solidcore’s recommended best practice is to follow level 1 requirements regardless of activity level. This white paper will focus on the compliance validation activities required of level 1 merchants.

For complete information download the whitepapers

Posted by staff at May 28, 2008 07:29 AM