Tag Archive for: Payment Card Industry (PCI)

Dallas PCI Event – April 9th

Best Practices for Protecting Payment Card Data (PCI) to help ensure compliance and reduce risk.
IBM
PMG

Event Overview

News headlines about the increasing frequency of stolen information and identity theft have focused awareness on data security and privacy breaches—and their consequences.

Payment card use is widespread today.  Along with growing global use, the industry has experienced a troubling increase in incidents of financial fraud. In response, the leading  payment card companies
worked together to develop a set of technical and operational requirements designed to protect cardholder data, commonly referred to as PCI DSS (Payment Card Industry Data Security Standard).

Recent high profile data thefts, along with industry statistics, indicate significant work remains to be done in most organizations to implement PCI DSS.

Topics to be covered:

•Current trends, issues and concerns around sensitive data security
• PCI and the changing Threatscape
• Looking beyond the compliance checkbox
• The future of the PCI-DSS
• What can be done to harden defenses against the exploitation of privileged users, unauthorized access and information-related vulnerabilities
•How to create a centralized data security platform 

Date: April 9th, 2013
IBM Technology Exploration Center (TEC)
1503 LBJ Freeway (Luna and 635), 5th Floor
Dallas, TX 75234-6059
8:30am – 11:00am

Agenda:
8:30 am         Breakfast and Registration

8:45 am          Welcome and Introduction

9:00 am          Keynote – Christian Nielsen, Pathmaker

10:00 am        Keynote – Michael Murphy, IBM

11:00 am        Closing Remarks

Christian Nielsen, Ph.D., PCI-QSACN

PathMaker Group

Christian has over 30 years of experience in security and networking technology. He has earned advanced degrees in Information Systems while staying active in the corporate world. In addition to his corporate career, Christian is training the next generation of master’s degree students in cyber security. Over the last several years, he has worked to assist business clients prevent and remediate the many security and compliance challenges they face.

MMMichael Murphy

Worldwide Solution Architect
Data Governance Center of Excellence
IBM

Mike Murphy is a Worldwide Solution Architect for the Data Governance Center of Excellence specializing in  real-time database protection solutions for reducing risk, simplifying compliance and lowering audit costs.
Over the last six years, Mike has worked with hundreds of customers conducting risk assessments and proposing technology solutions to protect against data breaches, and to ensure adherence to regulatory data protection standards such as HIPAA HITECH, PCI-DSS & SOX 404.

RSVP to rachel.armstrong@pathmaker-group.com or 817-704-3644

Security and Identity Management Solutions for the Healthcare Industry

Do you work in the medical or healthcare industry? Is your company in need of security or identity management solutions? If so, here are some of the key ways in which PathMaker Group can provide value in this field.

Enterprise Single Sign-on Doctors and nurses have a lot of passwords to manage as well as using shared workstations creating potential issues around people sharing a user ID to an account and people leaving an application or patient information open on a shared workstation. With ESSO, PathMaker Group can give the users a secure way to store all their passwords and automating the login and logoff process.

  • ESSO can be paired with an RFID badge – a quick tap of the badge can log a user on or off from the workstation, saving the time of entering the user ID and password over and over again as they switch between machines all day. A proximity sensor can be added to workstations to automatically lock them when a user forgets to tap out as they walk away from the machine.
  • Shared Workstation Management – Shared machines can be configured to be locked when an ESSO user leaves the workstation. When the next user comes in, any apps left open by the prior user can be gracefully closed to prevent the new user from having patient access under the prior user’s account.
  • Context Management ESSO can further streamline the process of accessing patient records across multiple applications. Tools, such as CareFX Fusion Context Management, provide the ability to script the sharing of patient identification across applications, removing the need for constant searches and patient lookups. Read more

Security and PCI-DSS Compliance

The question of whether compliance makes your networks secure often comes up when performing Payment Card Industry (PCI) Data Security Standard (DSS) remediation and audit work. Many believe that compliance with the PCI-DSS means their networks are secure from exploitation. Unfortunately this is not the case. Passing an independent PCI audit usually indicates reduced vulnerability for those PCI related areas tested, however the PCI segments are usually a small portion of the overall networks.

The payment card industry has one goal in mind and it is not to protect or provide security for your network. Their goal is to protect credit card and card holder data. They do this to limit their potential liability and transfer responsibility for that liability to the entities that provide, accept, use, store or transfer credit card and card user information. That is almost all businesses and many institutions here and around the world. Read more

The Importance of Hiring an Experienced, Qualified Security Assessor for Your PCI-Compliance Audit

With the stiff penalties associated with failure to meet standards set by the PCI Security Council, ensuring that your company remains compliant and avoids security breaches requires regular PCI compliance audits. Hiring qualified security assessors can help you avoid a number of potential pitfalls associated with audits. Opting to hire the most experienced candidates offers a number of benefits, including:

  • Getting it Done Right
    In 2004, CardSystems Solutions was hacked, resulting in 263,000 stolen credit cards and roughly 40 million compromised. This breach occurred despite their security auditor giving them a clean audit just three months prior. Hiring experienced PCI compliance auditors to perform your audits lessens the likelihood of potentially costly mistakes.
  • Continued Security
    Experienced PCI compliance auditors not only understand current standards, but they understand the areas in which the current standards fall short. This allows you to proactively anticipate security risks and protect your customers’ data. Understanding the current problems, as well as the next generation of threats, allows you to remain in compliance and prevent costly security breaches. Read more

Leveraging Centralized Log Management in a PCI DSS Environment

Enterprise environments generate vast amounts of log data on their own before even being required to meet PCI DSS section 10 logging requirements. When taking into account the volume of logs from the large variety of sources across a network it is important to find an effective and efficient manner to address this data. IT departments could easily dedicate one full time employee to this task alone when logs are decentralized across the organization and need to be reviewed, at times, on a daily basis. Admins also face the daunting task of having a working knowledge of the vast array of system interfaces used to access and review this data where it is stored by default. Obviously this configuration is highly inefficient as well as impractical. The only logical solution to meet the PCI DSS required logging volume as well as the review requirements is a centralized log management system. PathMaker Group offers such a solution, built on a SaaS platform, that can provide the necessary functionality, usability, and reporting that PCI DSS requires. Read more

PCI Updates

I thought i would take a few minutes to wish everyone happy holidays and a very prosperous 2011. I also noticed that I hadn’t blogged in a while so I thought I do a little of that…

This blog provides a few updates and observations related to the following:

  • PCI DSS v1.2.1 to PCI DSS v2.0 transition – very well defined, except for the cut-over date. The bottom line is that the PCI SSC is encouraging all merchants and service providers to convert as soon as possible, but at the same time saying everyone has until New Years Eve 2011 (one year).
  • PCI DSS and PA-DSS v2.0 Scoring Templates – QSAs can’t plan their projects without the new Scoring Templates. This will stall migrations.
  • Sampling And ASV Scanning Do Not Mix – this wasn’t a like a free lunch but some still manage to screw it up…
  • PCI DSS Timeline Clarification Read more

Log Management the Easy Way!

The Need for Effective Log Management

Log Management is a necessity for regulatory compliance and essential to maintaining a positive security posture in your environment. As your IT organization evolves to comply with today’s regulations and defend against new network security threats, you should choose a solution that avoids expensive maintenance and operating costs, reduces the number of resources needed to maintain and support your solution, and most importantly provides the most effective log management solution on the market today.

Our SaaS offering collects log data via an agentless collection device and provides log storage, reporting, correlation and monitoring leveraging our grid computing and storage architecture in our highly secure redundant datacenters. Read more

Why is it even more important to have an IR plan than a DR plan?

Virtually every organization has a DR (disaster recovery) plan in place as they should. However, most organizations don’t have a detailed IR (incident response) plan in place for when their IT systems are impacted by malicious behavior from either external or internal causes.

Why is it potentially more important to have an IR plan in place vs. a DR plan? The answer is simple, statistics. According to several creditable sources, the percentage of companies in the United States who experienced an IT incident in 2009 related to a directed malicious attack from either an external source (malware, etc.) or internal source (privileged user, disgruntled employee) was 49% compared to less than 10% of organizations who actually activated and used their DR plan.

Over the last few years we, at PathMaker Group, have seen the number of incidents, and the impact from those incidents, dramatically increase in number and impact (both downtime and financial). Suprisingly, most organizations still don’t have a defined Incident Response team and procedures to address these issues in a timely fashion to reduce downtime and financial impact. Read more

We have the coolest security technology partners!

Recent press supports our direction on selecting leading edge security technology partners. Not long ago, NetWitness found the most invasive Netbot in recent history.

Now our cloud-based monitoring solution partner, Alert Logic, discovered a serious bug with Facebook.

IDG reported “Facebook is fixing a Web programming bug that could have allowed hackers to alter profile pages or make restricted information public.

The flaw was discovered last week and reported to Facebook by M.J. Keith, a senior security analyst with security firm Alert Logic. Read more

Security as a Service (SaaS) Model?

For clients who have limit capital expense budgets, we’ve created a suite of services to help clients meet the challenge of limited budget and need to maximum security solution benefit. With services in log management, threat management, file integrity management, vulnerability management, wireless devices security management and 24/7 monitoring, we’ve effectively resolved eight of the most challenging Payment Card Industry (PCI) requirements.

Instead of spending several hundred thousand dollars and even more in additional personnel, and equipment rack space among other things to launch these products yourself, why not consider our SaaS model where for just a few thousand dollars per month, you get the benefits of a latest technology, reduced work for your personnel, and greatly improved security operations server.

In traditional outsourcing models, the customer gives up visibility and control to their inner operations. Not in our model! You can have as much access, full control, and visibility to everything that our Security Operations Center sees. We’ll just handle it around the clock!