New PCI DSS requirements will come into effect on June 30

The Payment Card Industry Data Security Standard (PCI DSS) is a requirement set down by several of the world’s leading payment card providers for any retailer who processes debit or credit card information.

However the scope of PCI DSS compliance, and the fact that individual requirements vary depending on the size of a company, can often make it confusing for businesses to understand.

And it may soon become even harder to internally evaluate PCI DSS compliance with new updates coming into effect on June 30.

Retailers will now be required to “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities”, according to the security standards council – something which was previously only considered a best practice.

This means that businesses will not only have to be aware of and understand vulnerabilities, they must also be able to rank those vulnerabilities based on the relative risk to their systems.

The importance of having a secure system for managing payment card information has been highlighted in the media lately, with news breaking earlier this week (June 26) that the US Federal Trade Commission has filed a lawsuit against Wyndham Worldwide, accusing the hotel group of not properly securing customer information leading up to the theft of 600,000 payment card accounts.

Global Payments releases update on security breach, PCI DSS compliance

A global electronic transaction processing firm has announced that a security breach that occurred earlier this year has now been contained.

Global Payments first announced the breach on May 30. Cybercrime website Krebs on Security originally reported that more than ten million accounts were potentially affected, and stocks in the company plunged 13.7 per cent as a result.

Since then, Global Payments has engaged multiple security and forensics experts to investigate the incident, and recently posted an update on the situation.

"Based on the investigation to date, we continue to believe that a limited portion of our North American card processing system was affected," reads the security alert.

"Actual card numbers that may have been exported did not exceed 1,500,000 and any potential card exportation was limited to Track 2 data."

Because only Track 2 data was compromised, no names, addresses or social security numbers were stolen and the incident is now contained.

While it is still unclear whether any personal information was viewed or extracted, Global Payments is promising to notify anyone potentially affected in the coming days, and has offered free credit monitoring and identity protection insurance to those at risk.

As part of the incident, several card brands have removed Global Payments from their list of PCI DSS compliant service providers.

More information on the investigation, as well as financial impact and PCI DSS compliance implications will be released by July 26, the company confirms.

“We sincerely apologise for this incident and are working diligently to conclude our investigation," said Paul Garcia, Global Payments chairman and chief executive.

"We are committed to fully resolve any issues arising from this matter and we, of course, continue to provide uninterrupted transaction processing for our customers worldwide.”

Global Payments is a Fortune 1000 company that processes transactions from Visa, MasterCard and American Express.

Consumers concerned about mobile payment privacy, security

Concerns about security – and more notably, privacy – are making some consumers think twice about making mobile payments, according to recently-published research carried out at the University of California, Berkeley.In a survey of 1,200 American households, consumers were “overwhelmingly opposed” to having their contact information – including home address, email address and phone number – shared with a merchant when making a mobile payment.The survey results, according to the researchers, suggest that legislation may be needed to clarify which personal information can and cannot be shared by retailers – similar to the regulations that govern credit card payments.Mobile payments are one of the hot issues to watch in 2012, as identified by the PCI Security Standards Council (PCI SSC).

Earlier this year, PCI SSC chairman Mike Mitchell and general manager Bob Russo revealed that the council will issue some best-practice guidance for the industry on mobile payments later this year.All merchants that accept credit cards must be PCI DSS compliant – and it is important to be aware that specific compliance requirements can vary depending on the size of the business.

PCI DSS Compliance