Secure Payments, PCI DSS, Regulatory Compliance Blog

Week in review

September 27th, 2007 by admin Posted in Legislation, Payment Applications

I like to hear comments like those from Mike Rothman about PCI:

So what’s the bottom line? Basically, there is nothing required in the PCI DSS that is overly onerous. Any organization that has been taking security seriously for the past few years should be in pretty good shape. A well-run security program will put a corporation in a strong position to be compliant with most regulations, including PCI DSS.

Thus, I don’t think the PCI DSS requirements should be loosened. Maybe the timeframes could be extended a bit, but just because it’s hard, doesn’t mean it shouldn’t be done.

Here’s a good note about Kiosk security with relation to PCI.

If you live or work in California, don’t forget bill AB 779:

Earlier this month, California bill AB 779 was passed near-unanimously in both the State Senate and State Assembly, and it now sits on the Governator’s desk, awaiting the prodigious force of his personal stamp of approval.

At the center of the bill is a requirement that would force retailers like TJX Companies to reimburse banks and credit unions for any expenses those firms are forced to endure as a result of a data breach — namely for re-issuing credit and debit cards to those customers whose accounts have been exposed. Sounds fair enough, and other states are again expected to follow suit.

There is also an article about an application for mobile phones that enables proximity payments.  I’m happy to see companies all around the world adopting the payment application security practices.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 3 Responses to “Week in review”

  2. By Dave on Oct 4, 2007

    “there is nothing required in the PCI DSS that is overly onerous.” - Okay Lets take airlines for instance, who are by default a security focused businesses. Most airlines are large multi-national organisations, with IT Systems designed and deployed in the 1970/80s. Now imagine trying to apply PCI encryption and key management requirements to those IT Systems, it’s hardly going to be an overnight operation is it?

  3. By Benjamin Wright on Oct 4, 2007

    In AB 779, proposed Civil Code Section 1724.4(b) is poorly drafted and confusing. It is not clear whether 1724.4(b) covers Internet and mail-order merchants (although the legislature probably did desire to cover those merchants). 1724.4(b)(2) is muddled about what does and does not constitute “sensitive authentication data” that a merchant is forbidden from storing. A literal reading of the words of 1724.4(b)(2) would forbid merchants from storing zip codes, even though Internet and mail-order merchants need to store zip codes for operational purposes. Pending Section 1724.4(b)’s poorly crafted language will be a roadblock as innovators try to invent the next PayPal. –Benjamin Wright, Dallas, Texas

  1. 1 Trackback(s)

  2. Oct 5, 2007: National Retail Federation takes aim at PCI DSS Council — Security Bytes

Sorry, comments for this entry are closed at this time.