Posts Tagged ‘Security’
PCI Standards
Posted by: PCI Compliance Mentor in PCI Compliance, PCI Scanning, PCI Standards on April 7th, 2009
More than once we’ve talked about PCI compliance standards and PCI guidelines. Basically, PCI standards are one and the same with PCI compliance and PCI guidelines. The Payment Card Industry Security Standards Council has set forth a list of criteria were “standards” to which business owners must adhere in order to continue with e-commerce.
Are you in compliance with the current standards that are set in these times of needed security? You must ask this question daily. You and your business needs to be in charge of security for yourself and your customers.
Why has the PCI Council set forth a series of PCI standards? The answer is pretty clear cut — because identity theft has become one of the most rapidly growing and problematic issues to date. In fact, identity theft is a problem crime that’s growing at astronomical rates worldwide. As such, the development of PCI standards seeks only to protect businesses and consumers from would be ID thieves.
PCI standards vary from merchant to merchant based on specific merchant levels. These merchant levels are derived from a series of criteria that were compiled by the PCI Council. Depending upon which merchant level your business carries, you’re PCI standards may vary from that of a different merchant. However, if you plan to continue in e-commerce or you have aspirations of accepting credit card or debit card payments through your website, you will be required to know and adhere to your specific PCI standards.
Today, there is a wide variety of tools designed to help businesses comply to PCI standards. PCI scanners and PCI vulnerability tools are relatively easy to find and can end up saving merchants lots of money and heartache in the long run. In as much as PCI scanning can protect merchants from these scams, it can also protect and save you and your consumers a substantial amount of time and money over the long haul as well.
Statistics indicate that victims of identity theft spend around 600 hours trying to correct all of the problems caused by the crime. This is an increase of over 2000% in the last three years. With technology becoming more advanced, crime is becoming more advanced as well. As such, in order to stay ahead of the thieves, the PCI standards set forth by the PCI Council are becoming mandatory.
It’s also notable that the utilization of tools to help businesses adhere to the PCI standards set forth by the PCI Council is also an excellent marketing tool. In fact, many consumers agree that if a company can provide them constant and consistent safe and secure transactions, they will very likely become repeat customers. It stands to reason that protecting your customers is an act of good faith and also helps to instill confidence in the consumer that you are a reputable business owner, who cares about the client’s needs.
It is possible to learn more about PCI standards and what it takes to be PCI compliant. You will find that, especially as a merchant, questions are readily answered in order to help you best serve yourself and your customers. It’s also important to note that even if you are a sole proprietor, any transaction made over the Internet must adhere to PCI standards.
The time is now, and if not today then tomorrow. It is time to be in charge of your security and to be in compliance with the current standards set forth.
Vulnerability Scanning
Posted by: PCI Compliance Mentor in PCI Scanning, Vulnerability Scanning on February 25th, 2009
Unfortunately, we live in a world where identity theft and other electronic crimes are rampant. As such, the PCI Council has compiled a number of specifications or shall we say requirements that must be put in place by all merchants accepting credit cards online and offline to provide Vulnerability Scanning. Inside a series of specifications as the number of “recommendations” set forth by the PCI Council designed to ensure that your company adheres to the regulations set forth by the Council. One such recommendation is vulnerability scanning.
The primary goal of vulnerability scanning is to pinpoint and identify any device inside your network, which may be susceptible or vulnerable to threats. It’s important to remember that not all vulnerability scanners are created equally. And for this reason, you should do your homework prior to utilizing any vulnerability scanning vendor.
PCI Compliance Scanning Companies
Posted by: PCI Compliance Mentor in PCI Compliance, PCI Scanning, PCI Scanning Vendor on February 13th, 2009
A question that you need to be asking yourself once you have realized the importance of PCI Compliance is, “What PCI compliance scanning company to use?” Once you have asked yourself this question then you need to start searching for a great company to help you on your way to security. Here are some questions to ask those companies:
- How many vulnerabilities do you scan for?
- Does your company offer Daily Scanning, Quarterly Scanning or both?
- Does your company offer PCI Seals to place on my website to show my customers that they can trust me? (Very Important)
- Is your company an ASV certified scanner or are you partnered up with an ASV Certified vendor?
- How long does the process take?
- Do you offer me PCI Compliance tools such as the Self Assessment Questionnaire (SAQ) and the Compliance Validation Basics information to help me become compliant?
- Does the scanning vendor send you the scanning reports frequently or can you download them?
- Will you support me in becoming PCI compliant?
So make sure you save these questions or print out this post so that when you go to these PCI Compliance scanning vendors that you can ask these important questions. Lets go over each question in detail at this time to really understand their unique importance.
PCI Compliance Importance
Posted by: PCI Compliance Mentor in PCI Compliance, PCI Scanning on February 12th, 2009
If you already know about PCI Compliance but are yet to take action then you need to really understand why the importance of PCI Compliance and how it can save you money and make you money.
The Payment Card Industry Data Security Standard (PCI DSS) is a collaborative effort to achieve a common set of security standards for use by entities that process, and store payment card data. There has been a lot of talk about how effective PCI Compliance is and will it really protect you and your customers. What you need to remember is that PCI Compliance is not the end all of security. Security is a mindset and nobody can ever say that they are perfectly secure. PCI Compliance is the first step to building up your security by following the current security standards and scanning your servers for vulnerabilities.
Here are some great statements by Michael Dahn of PCIAnswers.com about Compliance vs. Validation and Compliance vs. Security:
“There is a difference between ‘compliance’ and ‘validation’. Compliance is a state of being, one that must be maintained at all times. Validation is a point-in-time check on that state of compliance. The example I give is auto insurance. In order to comply with state laws I must maintain auto insurance at all times. When I go to register my car I have to show proof of insurance. I am validating my compliance with the law. What if I decide to cancel my insurance because it costs too much? Am I still compliant? No. Now, I still validated, but remember validation is a point-in-time while compliance is measured day by day.
Another thing to remember is that compliance, even the continuous state of compliance, does not equal security if not done right. If a company focuses on check box compliance and doing the minimum they may be able to complete the baseline audit, but does that mean they are properly managing their risk and protecting payment card data? Let me explain, I’ve asked many people, “can a firewall be used to segment a network?” Everyone agrees YES, but they are wrong. Only a properly configured firewall can segment a network. So if I check the checkbox saying that something is out of scope of the audit because it is segmented off, the question remains: was it properly segmented? Did you really eliminate known attack vectors?”
So ask yourself what your mindset is and where you are with the PCI Compliance and security realms of your business. Becoming compliant and secure takes time and some money, let’s be honest. The amount of money and time you spend will save you in the long run and here is why.
• First of all if you are hacked and something does happen with your customer’s personal and private information you could potentially be liable for the money and information lost. Also imagine the PR nightmare.
• Next think of all the sales that you are missing out on by providing trust and confidence to your visitors because you are not showing them that your site is secure and that they can trust you.
So keep all of this in mind when you are reading and pondering PCI Compliance. A suggestion would be to work with a company that can help start the process to become PCI Compliant like vulnerability scanning. A company that I would suggest is Trust Guard PCI Compliance Scanning.
