Tag Archives: PCI DSS

Security Monitoring On A Budget: Security Knowhow Needed

Every company can afford – and must afford – some security monitoring.

Even three years ago, small businesses shied away from security monitoring as too complex and too difficult to deploy, with a 2009 article calling such systems “not for the faint of heart.”

Now, log-management services in the cloud, easier-to-use managed security services, and simpler security information and event management (SIEM) solutions have made security monitoring possible for all but the smallest firms. For such businesses, gathering intelligence on security events can be an offshoot of network monitoring or the other way around, but each can give companies better visibility into what is going on with their information systems, says Nicole Pauls, director of product management for SolarWinds, an information-technology provider.

via Security Monitoring On A Budget: Security Knowhow Needed – Dark Reading.

Two more articles on Global Payments breach

The first is from SC Magazine, Visa expels Global Payments following 1.5M-card breach:

“What’s the takeaway on PCI?” Litan asked on Monday in a blog post. “The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.”

And the second is from Adrian Sanabria, QSA at Sword and Shield, Global Payments Credit Card Data Breach:

The worst thing I’ve been able to determine from the details so far, is that it seems Global Payments was storing Track Data – information swiped from the magnetic stripe on the back of the card. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.

It’s a doubly-bad violation of DSS to 1) Not be compliant in the first place, and 2) to suffer a loss of cardholder data.

I imagine the reinstatement audit, if there is one, will be quite extensive.

 

I’d bet cash money on this place being PCI DSS compliant

The 8-acre facility looks like any other industrial park in a sleepy suburb. But the serene setting masks hundreds of cameras and a crack team of former military personnel. Hydraulic bollards beneath the road leading to the OCE can be quickly raised to stop an intruding car going 50 mph. Any speed faster, and the car can’t navigate a hairpin turn, sending it into a drainage pond that functions as a modern-day moat.

The data center resembles a fortress, with dogged attention to detail. It can withstand earthquakes and hurricane-force winds of up to 170 mph. A 1.5-million-gallon storage tank cools the system. Diesel generators onsite have enough power, in the event of an outage, to keep the center running for nine days. They generate enough electricity for 25,000 households.

[…]

Visa’s core-transaction network is private, immune — the company says — from Internet dangers such as denial-of-service attacks by the likes of Anonymous. When hackers took down Visa’s corporate website in 2010, for example, it had no impact on the core network.

via Top secret Visa data center banks on security, even has moat – USATODAY.com.