PCI Data Security Standard
- February 28, 2018
Visa points to a 70% drop in fraud due to EMV chip cards, as consumers and merchants adopt the new payment card technology. But criminals are shifting their own focus to adapt.
- September 06, 2017
In this week's Risk & Repeat podcast, SearchSecurity editors discuss new research from Verizon on payment card security and the effectiveness of PCI DSS compliance for enterprises.
- September 01, 2017
News roundup: More than half of enterprises are in compliance with PCI DSS, according to a Verizon report. Plus, Turla is on the attack again with a new campaign, and more.
- August 04, 2016
Researchers at Black Hat 2016 poked holes in chip and PIN security by demonstrating simple attacks that can intercept EMV card transaction data, including CVV codes and PINs.
- April 28, 2016
PCI DSS 3.2 marks the start of refining the payment data regulations, rather than minor changes, and includes requirements to strengthen encryption and multifactor authentication.
- February 19, 2016
The PCI council has determined its data security standard is finally mature enough to forego significant updates, so PCI DSS 3.2 will be more of an incremental modification.
- December 22, 2015
The Payment Card Industry Security Standards Council unexpectedly pushed back the deadline for enterprises to migrate off of early versions of TLS.
- October 02, 2015
News roundup: Despite a low adoption rate going into the liability shift, many in the industry are optimistic about the future of EMV use. Plus: TrueCrypt flaws; AWS crypto keys stolen; women in infosec.
- October 01, 2015
The Oct. 1, 2015 deadline for EMV liability has arrived, though merchants and retailers alike aren't ready for the change.
- September 01, 2015
A major deadline for EMV card adoption is just one month away. Can chip-and-PIN and chip-and-signature technology improve payment card security and reduce fraud?
- April 15, 2015
PCI DSS 3.1 grants merchants about 14 months to nix flawed SSL and TLS protocols, but demands they quickly provide detailed new documentation on how they plan to make the transition.
- March 31, 2015
The PCI SSC has issued prescriptive new supplemental guidance on penetration testing in an effort to reverse current trends and improve merchant compliance.
- March 30, 2015
The PCI Security Standards Council has confirmed that PCI DSS 3.1 will be released in just a few weeks. According to a Gartner analyst, the surprise new release could cause major problems for merchants.
- March 11, 2015
The 2015 edition of the Verizon PCI report shows enterprises are, on the whole, getting better at achieving full PCI compliance. Unfortunately, few can sustain it.
- February 20, 2015
News roundup: Amid hidden add-ons, discontinued services and walled gardens, vendor trust proves elusive for several high-profile tech firms. Plus: Evidence ties North Korea to Sony Pictures hack; card brands boost cybersecurity; and cookies that ...
- February 13, 2015
News roundup: While data sharing can boost intelligence and improve security, recent events show the benefits don't always outweigh the pitfalls. Plus: Chip-enabled POS systems coming quickly; MongoDB databases exposed; sophisticated phishing scams.
- February 10, 2015
Visa and MasterCard are putting pressure on merchants to implement Chip and PIN technology, and while it will improve transaction security, it won't make PCI compliance any easier.
- January 16, 2015
In a sneak preview of its 2015 PCI Compliance Report, Verizon says improper firewall maintenance is among the leading causes of PCI DSS compliance failures.
- December 30, 2014
As PCI DSS 3.0 becomes mandatory on Jan. 1, QSAs say struggling merchants will find that a continuous approach to PCI compliance eases the long-term compliance burden.
- December 09, 2014
Trustwave says one out of every five organizations has no controls in place to prevent sensitive data exposure, despite growing criminal interest.
- November 12, 2014
Pain points related to finding indicators of compromise in system logs and CDE outsourcing have led to a pair of new PCI special interest groups that will begin work next year.
- October 20, 2014
The newly launched Apple Pay mobile payment system could deliver the most secure shopping experience for U.S. customers yet, though it still may not be perfect.
- October 02, 2014
In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
- September 05, 2014
News roundup: The recent Goodwill security breach has been blamed on a third-party service provider, highlighting the need for due diligence. Plus: Mobile device theft; Android app vulnerabilities and a 12-year-long cyber-espionage network.
- August 28, 2014
The new information supplement offers advice on how to address obstacles in maintaining year-round PCI compliance, even though PCI experts say the challenge is only getting harder.
- August 12, 2014
Discussing the state of PCI DSS compliance, Gartner's Avivah Litan says the industry still struggles with PCI auditors who both identify PCI problems and sell remediation services to fix them, causing a conflict of interest.
- August 07, 2014
The PCI Security Standards Council's new information supplement helps enterprises implement a security assurance program to ensure their third-party service providers meet PCI DSS requirements.
- July 21, 2014
Hailed by card brands as the cure to payment card fraud, Chip and PIN security technology will take years to deploy and has already proven vulnerable.
- June 05, 2014
The Security Standards Council is soliciting topics for next year's PCI DSS special interest groups, despite delays that have held back two 2013 PCI SIGs.
- May 13, 2014
During National Small Business Week, the PCI SSC will offer a free webcast Thursday to draw attention to the risk of small business data breaches.
- April 01, 2014
It remains unclear whether Trustwave could be held liable for Target's massive 2013 data breach in future litigation.
- March 12, 2014
PCI compliance may be nearly impossible after the April 2014 Windows XP end-of-life date if merchants don't address vulnerable XP-based POS systems.
- February 10, 2014
In its 2014 PCI Compliance Report, Verizon says that during a three-year period, fewer than one out of every nine companies passed all 12 requirements.
- February 04, 2014
Expert Mike Chapple says a key detail in the Target breach suggests that the Fortune 500 retailer likely wasn't PCI DSS compliant.
- December 23, 2013
The Target data breach highlighted a dirty secret in retail IT: "Holiday IT lockdown" periods that limit security activity put retailers at risk.
- November 07, 2013
Version 3.0 of the Payment Card Industry Data Security Standard has few surprises, but a host of new requirements and challenges for merchants.
- October 31, 2013
A veteran QSA believes PCI DSS 3.0 will help both QSAs and enterprises, but says further clarifications are needed to avoid PCI assessment disputes.
- October 30, 2013
The PCI SSC says hardware-based point-to-point encryption (P2PE) will better secure merchant card data and make PCI DSS compliance easier.
- September 27, 2013
PCI Community Meeting attendees this week discussed POS security and EMV; officials say feedback will influence more changes in the final PCI DSS 3.0.
- August 15, 2013
The proposed PCI DSS 3.0 standard would emphasize in-house vulnerability assessments, add password flexibility and highlight provider compliance.
- May 31, 2013
Compliance practitioners say new mandates like the HIPAA Omnibus Rule and Obamacare are making enterprise compliance management even harder.
- February 26, 2013
At Security B-Sides 2013, Joshua Corman railed against PCI DSS and vendor profit measures, calling for a renewed information security focus on what really matters.
- November 19, 2012
The PCI Risk Assessment Special Interest Group concludes that risk assessments are based on a company's unique risk tolerance and environment.
- September 13, 2012
Guidelines, aimed at developers and device manufacturers, support the need for more secure development practices for mobile payment acceptance.
- May 25, 2012
The PCI Council will continue to issue recommendations for mobile payment security, according to Bob Russo, general manager of the PCI SSC.
- May 22, 2012
At ISD 2012, many of the industry's leading information security experts gathered to share vendor-neutral expertise and proven security strategies.
- May 16, 2012
A PCI Council guidance document requires merchants to use a validated PIN entry device or secure card reader to accept payments using mobile devices.
- May 02, 2012
New PCI DSS guidance on point-to-point encryption outlines product testing requirements, and urges more merchant-acquirer collaboration.
- April 19, 2012
In a session at the SOURCE Boston conference, a PCI assessor and a CISO explain that there are ways to arrive at a report on compliance they can both appreciate.
- April 02, 2012
Following a breach that leaked approximately 1.5 million payment card numbers, Global Payments is now working to achieve PCI compliance once again.
- September 28, 2011
Many businesses struggle to maintain PCI DSS compliance, suggesting meeting the standard is a goal rather than an ongoing initiative, according to a new report from Verizon Business.
- September 16, 2011
A new validation program will certify point-to-point encryption systems that use devices for encryption and decryption as well as hardware security modules.
- September 01, 2011
The long-awaited PCI Tokenization Guidelines add heft to its use, but persisting problems deter merchants from fully embracing the technology, according to one expert.
- August 12, 2011
PCI DSS tokenization can reduce the scope of a PCI assessment, according to new guidance issued Friday. One expert says it’s been a long time coming.
- April 06, 2011
SearchSecurity.com's new "Eye on" series examines a security topic each month. In March, the series explores the role PCI DSS has played in shaping the security industry.
- March 29, 2011
Massachusetts Attorney General Martha Coakley announced a $110,000 settlement against the owner of several Boston area bars for failing to secure its patrons' personal information.
- March 22, 2011
Thanks to the debut of PCI DSS 2.0, interest in PCI compliance is likely at an all-time high. Senior Site Editor Eric B. Parizo discusses why in his look at key PCI DSS 2011 issues.
- March 21, 2011
Technologies that enable credit card payments via mobile phones have prompted the PCI Council to start a mobile task force.
- March 04, 2011
Paul Judge of Barracuda Networks and Joshua Corman of the 451 Group discuss whether compliance hinders the creation of innovative security technologies.
- January 31, 2011
A study by the Ponemon Institute found that the average total cost of compliance is more than $3.5 million.
- January 12, 2011
A survey of 500 security professionals found that although the compliance initiatives are burdensome, they are improving security at most organizations.
- November 04, 2010
RSA is the latest vendor to combine encryption and tokens with a server that provides tokenization and key management functionality in one location.
- October 28, 2010
Version 2.0 of PCI DSS will take effect in January and won't receive changes for three years.
- June 23, 2010
Payment industry executives and security experts are currently debating over the right way to preserve and protect credit card data. Merchants can choose between a variety of formats, from format preserving encryption, which replaces the 16-digit ...
- April 06, 2010
The PCI Security Standards Council is studying a number of emerging technologies and plans to issue a guidance document on end-to-end encryption when it releases the next version of the PCI Data Security Standards (PCI DSS), due out in October. Bob ...
- March 04, 2010
Merchants see value in the technology helping to reduce the scope of a PCI assessment, but a lack of standards and complexity issues are a cause for concern.
- January 26, 2010
The PCI Security Standards Council now has a team of five reviewing PCI assessments for inconsistencies and has increased funding for its QSA oversight program.
- October 26, 2009
Steven Elefant, CIO of Princeton, NJ-based Heartland Payment Systems Inc., is leading development on the payment processor's E3 end-to-end encryption plan and new secure payment terminals. Elefant, who joined Heartland last year, said the payment ...
- October 26, 2009
First Data Corp. uses RSA software for tokenization, providing a possible threat vector for attackers, says Heartland CIO Steven Elefant.
- October 02, 2009
Voltage cites performance issues and the creation of a repository of cardholder data an attractive target for attackers. RSA calls Voltage's claims unfounded.
- September 22, 2009
The encryption-token service could compete against vendors offering format preserving encryption to secure payment transactions.
- June 29, 2009
Company now requires merchants that process one million to six million transactions annually to have onsite assessment by a PCI QSA. Visa says it won't follow suit.
- April 08, 2009
Payment Card Industry Data Security Standard (PCI DSS) expert Ed Moyle of CTG recently joined SearchSecurity.com for a live Q&A to address your ...
- March 31, 2009
Lawmakers call the PCI standard lacking and seek significant improvements to the payment processing infrastructure to enhance security.
- March 17, 2009
The PCI Security Standards Council quality assurance program placed three QSA firms into remediation. They could face revocation of their certification to conduct PCI assessments.
- March 05, 2009
Two firms certified to conduct PCI assessments have been placed into the PCI Council's remediation program for violating the QSA Validation Requirements.
- March 04, 2009
A new PCI compliance tool walks companies through the compliance process by meeting six milestones set by weighing risk and threat factors.
- February 13, 2009
Law now taking effect Jan. 1, 2010 would require any business collecting information on Massachusetts residents to encrypt sensitive data, protecting it from data leakage.
- February 05, 2009
The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.
- September 15, 2008
Former QSA turned Forrester analyst John Kindervag calls PCI a "communicable disease." Anything introduced to the network is in PCI scope if credit card systems aren't segmented.
- September 05, 2008
Protecting customer data, corporate intellectual property and other sensitive internal data, remains a priority in many corporate board rooms, a Forrester Research survey finds.
- June 16, 2008
A point-of-sale system supplier for car washes and quick lubes protects its machines from viruses and other malware and enables PCI compliance.
- June 11, 2008
Staff will evaluate merchant feedback on the quality of their assessors and issue probations and revoke certification for negative comments.
- May 14, 2008
The three men allegedly deployed packet sniffers designed to capture Track 2 magnetic strip credit card data from 11 Dave & Buster's restaurants.
- April 29, 2008
PCI assessment firm, Trustwave says the report debunks some popular perceptions but others cite flaws in the study.
- April 24, 2008
Hard-pressed corporations are turning to service providers as well as product vendors to bring log data together and make management easier.
- April 22, 2008
The PCI Security Standards Council released documentation hoping to reduce a tide of confusion over enforcement of application firewalls and code reviews.
- April 02, 2008
As Executive Editor Dennis Fisher explains, the Hannaford supermarket breach illustrates how too much emphasis on compliance puts critical data at risk.
- April 01, 2008
Due to an overwhelming number of audience questions during his live question-and-answer session, Security Curve Founding Partner Ed Moyle was unable to answer all of them during SearchSecurity.com's recent virtual trade show on PCI DSS. In this Q&A,...
- November 08, 2007
The Payment Application Data Security Standard (PA-DSS) is based on Visa's Payment Application Best Practices. It's designed to bolster security during application development.
- November 05, 2007
Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines.
- October 01, 2007
The latest retailer to suffer a security breach is Gap Inc., which blames the exposure of data on 800,000 job applicants on a third-party vendor that manages the information.
- September 25, 2007
TJX Cos. should have moved faster to upgrade its Wi-Fi security from WEP encryption to WPA encryption, say Canadian officials.
- August 02, 2007
Database security researcher, David Litchfield of UK-based NGS Software will release a free Forensic Examiners Database Scalpel, he says could aid data breach investigations.
- July 11, 2007
Karen Worstell, former CISO at Microsoft and AT&T Wireless, recently joined the advisory board of Neupart A/S, a five-year-old European security risk management and awareness firm that just launched a North American office in the Seattle area. The ...
- July 10, 2007
Recent high profile data breaches and compliance pressures are forcing companies to spend more on technology to protect intellectual property, according to a new study.
- June 20, 2007
Log management is expected to be a hot topic at the upcoming Burton Group Catalyst Conference. Experts say log data can help organizations comply with numerous guidelines.
- May 22, 2007
While more organizations are seeking database authentication and encryption technologies, others are turning to database monitoring to secure data.
- May 17, 2007
Bob Russo, general manager of the PCI Security Standards Council explains that education is crucial to getting more merchants to comply with the standard.
- April 20, 2007
Phil Mellinger, CISO of credit card processing giant First Data Corp. is calling for changes to the standards to speed adoption, ease restrictions and eliminate ambiguous language.