Visa's PCI compliance policy change: The end of the PCI assessment?

Does Visa's recent policy change on compliance assessments for the Payment Card Industry Data Security Standard (PCI DSS) mean the death of the PCI assessment?

Image source: Searunner

This change, which provides that merchants meeting certain criteria no longer need to undergo PCI assessments, may have many merchants and security professionals jumping at the idea of not having to fill out those lengthy annual self-assessment questionnaires (SAQs) anymore during the compliance validation process, but the PCI DSS program is here to stay and the SAQs probably are too.

The good news for merchants is that several movements on the rise may limit the number of merchants required to fill out the assessment forms and reduce the amount of time needed to complete them, including clearly defining the cardholder data environment, outsourcing credit-card processing, and using Europay, MasterCard, and Visa (EMV) "chip and PIN"-enabled terminals.

Read Mike Chapple's discussion on the PCI community's shift toward "a risk-based approach that reduces the burden on merchants not engaged in high-risk activities."

Square Expects New Financing and a Loftier Value

As on-the-go payment-processing technologies continue to gain popularity with merchants and consumers, the mobile payments market is becoming increasingly competitive, with more and more new innovations on the rise and more and more investors dropping large chunks of change into it.

Image source: Article

Rumor has it that mobile payments service provider Square is on the verge of bringing in yet another hefty round of funding – this one said to be roughly $200 million – which would give the start-up an implied valuation of $3.25 billion and would strengthen its posture against competitors such as Google, Intuit, and PayPal.

Best known for its square, “pint-size” credit card reader for smartphones, Square’s number of users doubled to roughly two million in the first half of 2012 and it is currently processing $6 billion in transactions a year. The company also rolled out its Square Register, an app for small businesses to use iPads as credit card registers, and Pay With Square, an app for consumers to open “tabs” with vendors for in-store shopping by linking in their credit card accounts.

Square does have competition however, with so many other players out there also introducing new mobile payments products. Read up on the growing market for these technologies and see what’s working for Square.

Confidence in credit unions up, banks down

Credit unions once again take the lead over banks when it comes to trustworthiness in the public eye.

Image source: Geograph

According to the latest Chicago Booth/Kellogg School quarterly survey results, respondents’ confidence in credit unions rose to 63 percent, a few points up from the previous quarter’s 58 percent. Meanwhile the percentage of respondents who trust large banks dropped from 25 percent to 23 percent. In contrast, trust in small community banks got a more favorable 55 percent, up from 51 percent the previous quarter.

As a whole, trust in the overall financial system isn’t looking so good, down to only 21 percent of respondents stating that they do trust the system – the lowest result this category has seen since the March 2009 poll was taken as the global economic crisis steamrolled through the industry.

What else is on your members’ minds? Get more survey results from the article and see where people are putting their trust and what gives them cold feet.

Android app steals contactless credit card data

Better not let your members get too comfy with their contactless cards.

Image source: Article

paycardreader, the Android application capable of siphoning credit card data from contactless bank cards has been posted on Google Play Store by a German penetration tester.

The app, which skims card numbers, expiration dates, transaction data, and merchant IDs, was launched at Integralis Security World 12 in Germany while considered still unstable. Developer and senior consultant for Integralis Thomas Skora said the app was "only for technical demonstration" to show how data could be swiped from contactless cards, such as PayPass Mastercard and GeldKarte.

Not the first time contactless cards have been proven hackable by security researchers. And thankfully for all your CU's contactless card holders, paycardreader was available for download on Google Play Store and GitHub. Get the full story from SC Magazine.

Financial Regulators Address Cloud Security

In effort to help financial institutions address and understand the risk of cloud computing and avoid outsourcing haphazardly, the US Federal Financial Institutions Examination Council (FFIEC) has published Outsourced Cloud Computing.

Image source: Article

This resource document stresses the importance of due diligence when shopping cloud service providers. Vendors may be unaware of the regulatory requirements applicable to financial institutions, but the financial institutions are still responsible for the compliance and security of their records and therefore must make sure their providers meet risk-management, compliance, quality-of-service, and cost standards.

Focused on business continuity planning, regulatory and legal compliance, audits, information security, vendor management, and due diligence, this FFIEC resource is an excellent guide for outsourcing cloud services and hammering out your vendor contracts and service-level agreements.

Read the story in CloudTimes and take advantage of this invaluable resource for your CU.

How PDFs can infect your computer via Adobe Reader vulnerabilities [VIDEO]

Read at your own risk...

Image source: Article

Beware of PDFs booby-trapped by cybercriminals which can infect your computer and even potentially enable the attackers to gain access to your corporate network. These PDFs may be sent to victims via spam, or they may be planted on websites where they sit, waiting for unsuspecting visitors to click on them.

These booby-trapped PDFs exploit vulnerabilities in PDF-reading software such as Adobe Reader. The simple act of opening them can initiate automatic downloading of malicious code from the Internet and the decoy PDFs that are displayed cover up the malicious activity.

When was the last time you updated your applications like Adobe Reader with the latest security patches? Watch this video by Chet Wisniewski and see how hackers can leverage PDFs to pwn your computer.

Open source offense could be our best defense against cyberattacks

What corporate and member information does your CU have floating around in Cyberspace and how accessible is it to cybercriminals? Does your IT security team even know?

Image source: imsmartin

A growing IT challenge is how to properly protect an organization’s information systems and assets without draining the budget, but a strong defense doesn't have to be expensive. Don’t get caught up in all the media- and vendor-driven hype around cyberattacks, which caters to human interest over security basics and therefore can be misguiding, often scaring organizations into investing in security programs that might not even be appropriate for their circumstances.

Every organization is unique and so is every security product, so before spending time and money on any of them, your CU should first assess what data and processes it needs to protect and what their vulnerabilities are. Identifying any data that is publically accessible and figuring out how to safeguard it is a great place to start. Such data is readily available to attackers – no matter what security products your CU may be using.

Get the five tips for establishing a strong cyber-offence based on open source information presented by SANS Institute's Director of Research Alan Paller at the recent ISSA Los Angeles Security Summit.

Researchers Find Serious Flaws in Popular Point-of-Sale System

VeriFone Systems' widely used Artema Hybrid point-of-sale system has been found by Security Research Labs in Germany to have several serious vulnerabilities which enable attackers to alter transactions, steal card data, and perform other malicious activity.

Image source: Nik Hewitt

The series of weaknesses discovered within some of the terminals gives attackers pathways into the system both remotely and via local interface. The bigger issue however is what an attacker can do after gaining access to the system. The most serious attack scenario would involve the attacker not only stealing data from a payment card, but modifying the transaction itself as well by changing the amount charged to the card.

VeriFone is currently investigating the situtation to determine the appropriate countermeasures and will release an update when further information is available. Read the details of the report in the Threatpost article.

BYOD is a user-driven movement, not a secure mobile device strategy

As phenomenal as the “bring your own device” (BYOD) movement may be, it sure is complicating things for IT security planning.

Image source: imsmartin

Whether people are bringing their own mobile devices into the workplace in order to access corporate resources or simply to check their social networks, the movement is unstoppable. Recent reports from sources such as Gartner and Cisco forecast 90% of businesses supporting corporate applications on mobile devices by 2014, and a 3.47 average number of devices per person by 2015, expected to increase to 6.58 devices per person by 2020.

That’s a lot of personal devices for your credit union to manage. What to do?

The basic options are: block ALL devices not provisioned, block NO devices at all, or control access for SOME devices, granting or blocking access to resources based on need and risk. Addressing this question alone, however, is not enough, as the real challenge still remains: secure mobility. Even more important than managing device access to your network is controlling what these devices can do while they have access.

What’s your strategy? Is it working? Learn more about combining "mobile device management" (MDM) with "mobile application management" (MAM) and stay on top of BYOD.

5 Enterpriseworthy Cloud Storage Services

Cloud storage and file sharing services have been emerging at an impressive clip over the past few years.

Image source: Fotopedia

What if you want a secure business solution for your virtual office?

One solution for cloud storage and document management on the list is Ftopia, which allows you to configure a file structure and create branded, secure, tamper-evident, virtual rooms that can be shared with colleagues or clients.

Sit back and relax and let the article take you on a tour of the best cloud storage services for small to midsize businesses such as your own Credit Union. The list contains: Box, Carbonite, Egnyte HybridCloud, Ftopia, and SugarSync.

Federal appeal court raps bank over shoddy online security

A U.S. construction company may stand a greater chance of recovering some of the US$345,000 it lost in fraudulent wire transfers that it blames on poor online banking practices of its bank.

Image source: Flickr

Fraudsters made six wire transfers using the Automated Clearing House (ACH) transfer system amounting to more than $588,000 in May 2009. About $243,000 was recovered.

The court found that Ocean Bank was not monitoring its transactions for fraud nor notifying customers before a suspicious transaction was allowed to proceed, both capabilities that it did possess with its security system.

Pay me now or pay me later...Are you doing enough to protect your members and your CU? Read the full article to see what could have been done to alter the outcome.

App Development: Been There Done That

The age of the Internet has created a sense of urgency in the world. There is a strong want for instant gratification.

Image source: Article

People expect news, status updates from friends and feedback on anything and everything instantly. So why should it be any different for mobile Apps?

When creating your own apps, be mindful of the following pitfalls described in this article.

Read the full article to see if your apps are up to snuff.