June 2013 Newsletter

Check out our latest Securus newsletter to see what’s been happening in the security sphere. From mandatory disclosure of data breaches, to vulnerability management, a review of penetration testing to changes in the PCI standards, in this issue, there is something of interest for everyone!

http://createsend.com/t/j-A842B2EA4BEC2ADB

PCI DSS plays an important role in business operations

The importance of having the correct systems in place to handle commercial payments has been discussed at a leading economic forum.

In an address to the Australian Payments Clearing Association (APCA) on May 28, the governor of the Reserve Bank of Australia (RBA), Glenn Stevens, has explained how various organisations have been instrumental in delivering a safe trading environment.

While in previous decades the majority of business transactions took place using written cheques and certificates, the digitisation of many accounting processes meant that entire industries were now able to interact and close sales on a faster turnaround.

However, with new developments came the need to provide regulation and balance to the transaction clearing processes.

While the larger end of the scale is governed by the Payment Systems Board (PSB), the payment card industry data security standard (PCI DSS) is used to ensure commercial enterprises are processing and storing their client’s information in a compliant manner.

Mr Stevens explained that the PSB was responsible for “the stability of financial market infrastructure” and was largely focused on high-value payments” in financial markets and the local stock exchange and currency markets, rather than daily transactions between client and business.

He went on to say that a number of developments meant that the RBA and the PSB were facing increased levels of change.

Most notably, the need to meet the “global push to strengthen financial regulation in the wake of the global financial crisis” was becoming a high priority – with investor confidence and market stability on the line.

Mr Stevens asserted: “All this means financial market activity that is important to Australia will be increasingly reliant on centralised financial market infrastructure.”

“Hence the resilience of that infrastructure will be critical, and the obligation of the official sector to provide proper oversight to ensure that resilience will correspondingly increase.”

It is easy to see how Mr Steven’s comments can also relate to smaller operations – with the systems in place at a company having a direct impact on both the capacity and image of the enterprise as a whole.

Meeting the standards set out by the PCI compliance council not only helps to protect the daily operations of a business – it also ensures that the infrastructure it has in place helps to deliver services that actively improves on client confidence.

As Mr Stevens explained: “This is a continuation of a trend that has been under way for some time, and to which we have already responded with a significant boost in the resources we devote to these issues within the Bank.”

PCI compliance in cloud services

With all the hype surrounding the delivery of services through cloud providers, it is little wonder that some enterprises may be wary of stepping into the new realm of business opportunities unprepared.

In essence, external providers are taking the information and operations outside of the physical premises controlled by the firm in question – leading to questions about how safe and secure the systems really are.

This is especially true for businesses that are aware of their obligations with regard to potentially sensitive information collected from clients and stakeholders.

Because these details are given to the enterprise with the understanding that they will be kept safe from misappropriation or theft, security is often a prime concern for the staff members in charge of information storage.

When it comes to the payment card industry (PCI), there are strict guidelines that govern how client information is to be processed and archived.

With new technologies such as cloud storage, the same requirements would apply to these solutions as with in-house systems – requiring the assistance of qualified PCI compliance testers.

These experienced professionals will be able to ascertain if an external provider is suited to the task of storing or processing sensitive card payment information – as well as providing additional advice on how to improve existing frameworks.

Dr David Ross delivered a presentation to the attendants of AusCERT 2012 convention, stating that while extra care was needed, it could be possible to make use of these systems while maintaining PCI compliance.

According to an article published by ZDNet on May 17, Dr Ross said that while cloud providers can offer compliant products and services, the onus still lies with the primary company.

Some of the products mentioned by the presenter were known to also provide in-depth guides that help clients to deliver services that are in line with the data security standards laid out by the payment card industry, but he was quick to warn that this still did not automatically make the solutions certifiably compliant.

While the shared nature of some cloud services makes it difficult to get a clear picture of just what information is visible to third parties, a team of qualified assessors can provide managers with an in-depth review of the pros and cons of a particular service.

This allows decision makers to make informed choices based on the particular details provided by a neutral third party – removing issues of bias and proprietary control issues from the equation.

Managing PCI compliance across multiple channels

Growing businesses are bound to face a number of serious challenges as they develop – especially as the number of customer contact points starts to grow.

For some organisations this translates directly across to an increase in staffing numbers and retail outlets or distribution centres, while others may simply begin to free their products or services across a wider geographic range.

No matter which one of these options are taken by managers, the end result is that the organisation is likely to be in a position where it collects and handles more information from the  payment card industry (PCI).

While this phenomenon depends largely on the proffered transaction method of the client base in question, the ease and security of PCI solutions make them an obvious choice for growing firms.

However, expansion planning needs to take these payment methods into account and ensure that the financial channels are as secure as possible.

In particular, each new sales outlet, retail point or service provider plays a part in delivering PCI compliance across the range of transactions it will cover in the course of normal operations.

In a very real way these activities help to serve as an investment in the security of client details – including potentially sensitive data such as contact information.

This places the issue of PCI compliance firmly in the best interests of the organisation that is undertaking the expansionary activities – as it acts as both a secure vehicle for inbound payments and as a brand building tool that inspires client confidence.

On the flipside, keeping systems in place that do not comply with the payment card industry’s data security standards only serves to damage a reputation should it come to light – or worse, expose valued customer and client details to malicious parties.

PCI compliance no longer the boogeyman of retail enterprise

Selling goods directly to consumers can take many different forms – from chain retailers and bulk wholesale outlets to more bespoke providers that tailor their offerings to suit each client.

This makes the challenges each enterprise faces fairly unique, as changes in demographic, locations, suppliers and other market factors require careful monitoring and responses in order to realise profits.

One of the more common factors that requires regular review is the frameworks surrounding the firm’s payment card industry data security standards (PCI DSS) compliance efforts.

With all of the commitments already in place at an enterprise – to consumers, suppliers and other stakeholders – it can be understandable that other areas can be overlooked for months at a time.

However, the security standards put in place by the Payment Card Council are constantly being updated as new threats to customer information are discovered and assessed.

This makes the services of a professional PCI compliance team a valuable addition to any retailer’s set of service providers – protecting their customers’ sensitive information from potential misuse.

While clients and stakeholders are not directly liable for losses incurred on their cards under a range of circumstances, the blow in brand confidence can still be crippling to enterprises of any size.

Payment security – credit and debit cards

It is becoming increasingly easy for Australian debit and credit card users to make payments in a variety of different ways – but this ease of use poses a number of important security questions, according to Josh Stollmann.

The chief executive of Tyro Payments asserted that retail payments systems across Australia need to be “dramatically” overhauled to keep pace with new technological advancements, including tap-and-go payments and the ability to use certain types of credit cards without a pin or signature for small transactions.

He said: “The move to a cashless society and new mobile technologies will result in dramatically increased number of transactions, putting further stress on the failing legacy core payment systems of Australia’s banks.”

Growth in Australian debit card use has more than doubled that of credit card use, according to new data from the Reserve Bank of Australia representing the first three months of the year.

Nearly 700 million debit card transactions and 430 million credit card transactions were carried out during the first quarter of 2012, representing 15 per cent and seven per cent growth, respectively.

A rising number of people making card payments mean that it is becoming increasingly important for merchants to be aware of their PCI DSS compliance responsibilities.

PCI DSS compliance means that customers can shop with confidence and are able to trust that their sensitive payment card information will remain secure. This can also result in more repeat business for the merchant.

It is also important to note that noncompliance with PCI DSS can have very serious consequences, which can range from insurance claims and government fines to cancelled accounts.

Payment Card Industry Security Standards Council criteria can vary depending on the size and scope of your business – and the organisation is constantly working to keep pace with new technology developments and sophisticated data compromise.

Tips for maintaining PCI compliance – ZDNET Article

Recently at our April Breakfast Briefs in Sydney and Melbourne, Steven Surdich one of Securus Global’s resident PCI DSS experts and QSA’s provided an address on the importance and trials of maintaining PCI DSS Compliance all year round, rather than just a point of time excercise when an Audit is due.

There are many very pragmatic strategies and processes that can be employed which do not need to be difficult or complex if implemented as part of business as usual process and not special PCI Compliance Activities.

Here is a little of what ZDnet had to say

Too many companies are neglecting to keep up to date with the standards required for accepting electronic payments, even though compliance is easily achieved by following three simple rules, and not a once per year obligation according to Securus Global senior security consultant Steven Surdich

Although many companies appear to be having difficulty in doing so, Surdich said it is simple if they follow the three basic rules: controlling changes to the cardholder environment; maintaining oversight of their activities; and simplifying compliance processes.

To read full article: http://www.zdnet.com.au/tips-for-maintaining-pci-compliance-339336453.htm?noredir=1

For more info on PCI Compliance visit the SG Website:

PCI compliance for new online business

Being able to access more information faster is perhaps the best thing to happen to businesses in Australia, where geographic distance and community spreads are important factors.

It affects all aspects of the marketing process – with shopfronts experiencing higher pedestrian traffic obviously attracting higher rents and word-of-mouth business becoming a truly valuable asset.

The roll-out of the national broadband network has been hailed as a boom for many firms, allowing them to reach out to customers in ways that were previously untenable due to technical or financial limitations.

However, while many of the businesses getting involved in online selling know their industry inside and out, they will still need assistance in developing security methods that help to put their customers at ease.

The payment card industry (PCI) has come up with a data security standard that helps to set the benchmark on the minimum requirements needed to ensure the safety of a client's online information.

More of an ongoing process than a simple test, PCI compliance requires the specialist attentions of a qualified security assessor that is registered with the Payment Card Industry Security Standards Council.

In this way, Australian business can offer their services to the rest of the nation with the confidence that their online commercial offerings are secure as can be.

PCI DSS Compliance
PCI DSS Tools

US smartphone usage eclipses 100 million

It’s no secret that the growth of smartphone adoption has been progressively climbing ever higher over the last few years.

However, a recent study from digital business analytics firm comScore has shown that it has just passed another milestone.

Data gathered from the company’s MobiLens statistics service shows that the popularity of intelligent handheld devices has hit a new high, with over 100 million consumers owning a smartphone.

This growth in understandable – customers are able to use these handsets to browse business offerings and make purchases on the go.

To get around the hassle of needing to post a cheque or buy through a dedicated brick-and-mortar storefront, businesses can apply to receive a payment card industry (PCI) compliance certification.

These impulse purchases can be made even easier with dedicated applications from vendors that help facilitate the PCI transaction.

However, firms in Australia need to be aware of the need to operate within the payment card industry data security standard for mobile devices.

With three categories governing the acceptance of applications for mobile PCI standards, compliance is an ongoing process rather than a one-off inspection – meaning that continual analysis is often required to provide a secure channel for online transactions.

For more info on PCI, visit the SG Website: PCI DSS Compliance