PCI Compliant News | Lastest Info Here

Your Source for PCI Compliance News and Tips

Cyber Security – What this means for your business

We live in a digital world where information is one of the most important and expensive currencies available. Thus, safeguarding the data has become one of the most important parts of a business strategy. Intellectual property, financial information and statistics, future plans and development strategies are all considered sensitive information and they all must be properly safeguarded against cyber attacks and other threats.

Unfortunately, cyber security is not yet a major concern for the business owner or the CEO of a company. However, they should rethink their strategies and implement new technologies and methods in order to protect their sensitive information and their businesses from competitors and other third parties.

Cheap PCI Compliant Hosting with exceptional cyber security is available with shared or dedicated plans.

Why is security important for businesses?

Most of the business owners and CEO’s will neglect cyber security until an incident happens. At that point however is already too late and sensitive data may have already been stolen. When the company operates sensitive customer data the importance of safeguarding these information increases exponentially as the incidents may endanger the future development and activities of the company. The most honest approach to cyber security should be as a consequence, to implement strategies for security prior to an unfortunate event as the question is not if such an event will happen but rather when it will happen.

Cyber security is important for small businesses as well

According to BIS’s reports (Department for Business Innovation and Skills), large and small businesses alike are all prone to cyber attacks regardless of their number of employees, the nature of their business or the services they provide. Hence, cyber security is important not only to large businesses owners and CEO but to small businesses as well. BIS’s reports show that the number of security breaches is constantly growing as more than 87% of the small businesses that were investigated reported such issues in the past year.

How to protect your business against cyber attacks?

We have already stated the importance of protection and security. Cyber attacks are nowadays a certainty and as a consequence, every employee should be trained in order to be able to spot and protect the company and him/herself against cyber threats. How can this ideal become a reality? Well, let’s consider a few important facts:

  • Keep your devices up to date. Keep the pace with new technologies and new software developments and constantly update the systems.

  • Stay up to date with the news. Inform your staff about the latest cyber security risks and threats and protect your business against scammers.

  • Educate yourself and your employees. Every individual is important when you are trying to protect your business against cyber attacks including the staff members who doesn’t work in the IT departments. They should all understand what cyber attacks are, which the latest threats are and how are they able to protect the sensitive information they work with. They should be encouraged not to respond to dubious emails and to report them to the IT specialists as soon as they receive them, to have strong passwords on their business and personal accounts and never share sensitive data with any other third party individual or company unless they are told so by their supervisors.

  • Don’t take people’s words for granted. This advice should be carefully analyzed by business owners, CEO’s and non-technical staff as well. There are many types of cyber threats and some of them will not even come through the Internet. There are scammers who use the classic ways of communications such as telephone, supplying services and classic mail systems and as a consequence, staff members should also be educated about these types of threats.

  • Inform the staff members about the risks of bringing and using their personal devices at the office/ for office duties. Security staff members have limited access to personal devices such as smart phones, tablets and computers. While bringing their own devices may offer benefits to the company in terms of costs, these benefits may turn out to be in fact lose ends when fighting against cyber threats.

Conclusion to the Cyber security threat

Cyber security is nowadays a necessity rather than a simple curiosity. Small businesses should also implement viable solutions and strategies in order to protect their activity and keep their sensitive economic, social or personal information away from the reach of scammers and other mal intended individuals or companies. Information means power and at the same time a huge responsibility. Regardless the services a company provides, all members of the staff should be trained in order to protect the information and securely store, manipulate and use the data.

Heart Bleed Vulnerability

Some of you may not know of heart bleed. Heart bleed was or is, as we should say, a security problem that could possibly affect many of websites. Heart bleed is a serious issue because it could not only expose information such as your username and password but also expose more sensitive information. This could be dangerous to your identity. How do you protect against this? Is there a way to?

To be protected from vulnerabilities such as Heart Bleed, we recommend PCI Compliant Hosting from Penguin Web Hosting.

What Really Happened

It is difficult to determine the original source of heart bleed. With its interesting logo, a heart with blood dripping from it, it is something that will stay with you forever. This heart bleed bug has been around for over two years. It infects Open SSL which is what protects sites across the internet.

What really happened though? How did it come about? Who created it? Can any of these questions be answered? There are ways to determine if your site or a site you know may be infected or if they could be infected by heart bleed. However, there is no way to know if it has previously been infected or not.

It is doubtful when or if we will ever know what really happened. We know how it happens and what happens if a device is infected. Heart bleed can affect thousands in different areas of the world negatively.

How does it Work?

Computers have heartbeats and these heartbeats are basically information being sent back and forth. What is most scary about heart bleed is that it is so simple. It can happen anytime and anywhere. While the computers would send a simple task to one another, it may be a complicated task if it is a heart bleed.

One word can turn into 500 words. You send a simple command and it sends back the simple response. If the request is more complicated than just one word then it would send back the one word with however many other words are requested. Those other words could be important, depending on what you have in your active memory. This is considered a heart bleed attack.

What Can You Do?

To begin with, you should be aware of the sites you are using, especially the ones used most often. These sites must have been updated and you should do nothing, especially change your password, until you have made sure that the site is protected. If the site you are using hasn’t been protected against heart bleed then changing your password could start it all. Thankfully, many sites have now updated to where they can make up for the heart bleed mistake.

How do I check?

Plenty of websites have a list of those that may still be harmful and haven’t done anything to guard against heart bleed. Some specific firewall programs do have an extra tool to check for heart bleed. This tool will tell the anti-virus’ users if the site could be compromised.

Websites who were affected or who could have been affected will send out an email to inform you of what was going on. It should say that they have done what was necessary to prepare for heart bleed. This is the cue in which it is safe to change your password without risk of being infected by heart bleed. It is important to look for any phishing emails or sites. You can identify these by poor grammar or spelling.

You should always be sure to have an anti-virus program installed on your computer. This will help to identify a heart bleed or anything harmful on your computer. Keep your eyes open for any signs of a heart bleed. Heart bleed is said to affect at least 66% of the websites on the internet.

You can research all these websites to make sure that they are not or have not been affecting. Heart bleed is such a simple mistake that can harm just about anyone. In this article, we have found information for all our readers to be prepared for anything related to the heart bleed virus.

Heart bleed is technically not a virus. It began as a simple mistake. A mistake that could allow hackers to take over and obtain any personal information. In the modern day world, websites have protected against heart bleed. There are few sites out that haven’t yet. However, this does not mean that you shouldn’t check any suspicious sites beforehand. Sadly, sometimes these things just happen. Hackers can get in at anytime even if most websites have attempted to safeguard.


Annually companies and governments spend considerable amounts of money on developing and maintaining their IT departments.  A large part of that on a secure PCI Compliant Web Host The U.S. government alone spends annually 80 billion $. That is a staggering amount taking into consideration that more than half of the world’s countries have their GDP equal or smaller to that sum. As a result, many experts and officials have tried to find ways to cut that figure so that the money spent could be used to fund other projects. One of the most promising solutions to save money on the IT is Cloud Computing. Although it isn’t a new concept (it’s been around since the 1960s), it is only since the last couple of years that we had the technology to implement it and use it on a large scale. As to all new concepts, there are also some risks and vulnerabilities which need to be addressed and fixed before it will become a world wide solution. Even so, companies can already access this service and there are some steps being taken in order to shift the cloud computing trend to governments as well.

The Obama administration has established new security standards to increase the level of security. Vendors who sell cloud services will have to meet these standards if they wish to continue their work. The New Federal Standards are actually the second step in governments race to modernize its IT infrastructure while at the same time cut costs. In 2010, the GSA and Federal Chief Information Officers Council on the requirements for the Federal Risk and Authorization Management Program announced that there would be new cloud standards known as the 25-point federal IT reform plan, which were meant to secure the access of the government to cloud computing services and products. Fast forward to today and we have the second step of that plan which is meant to further increase the security levels. The policy’s main goal is to cut costs and for this to happen, the Obama administration imposed that every federal agency will have to develop and implement one cloud-based solution by December 2011 and three cloud-based solutions by June 2012. To this effort there have been shown signs of progress, CIO Kundra said that CIOs from 15 agencies have already informed the Office of Management and Budget that they will evolve to cloud-based email solutions by the December 2011 deadline.

It is obvious by now that cloud computing will become “an integral part of the government’s DNA,” said VanRoekel, federal CIO. The government has been and is working in partnership with several agencies, state and local governments, industry and non-governmental organizations and academia in order to increase trust and credibility between state agencies and between state agencies and the private sector.

The Federal Risk and Authorization Management Program will be the body that will control the implementation of the new federal standards regarding cloud computing. FedRAMP is estimated that it will cut IT costs by 30%-40% and taking into account that U.S. spends annually 80 billion $, the savings are hard to go unnoticed. The FedRamp is the result of the collaboration between many different agencies, including the General Services Administration, the National Institute of Standards and Technology, the Department of Homeland Security and the Department of Defenses, as well as experts from the private sector. Some voices claim that the system is a long way from becoming operational but VanRoekel claims that FedRAMP will reach initial operational capacity by the third quarter of 2012.

There is still much debate whether the cloud computing system will be able to offer the same security level, same operational capacity as the old one but one thing is for certain, cloud computing will allow governments and companies across the world save significant amounts of money by cutting costs from the IT budget. Officials and pro cloud militants hope that in the future cloud computing will be able to not only cut costs but also increase the efficiency and the utility rate. However, cloud computing means more than cutting costs, it also represents a new dawn in the IT world, people will no longer invest in IT as a capital expenditure but rather as an IT service.

Along with Obama’s single online id and the trend to move from conventional storage systems to cloud computing it seems as if the government is trying to take over the internet in a very subtle manner. It may sound as a conspiracy theory but there have already been cases where private information from blogs and various social websites have been used to manipulate certain situations.

PenguinWebHosting.com ranked #1 PCI Compliant Hosting Provider 2 Years in a Row

Most people know how in the context of the market today, the number of possibilities is so high that it stopped counting.

From transactions concluded at home in front of the laptop to paying bills with the phone, every new technology developed changes people’s lives in a certain percentage.

Most of the people have heard about the possibility of hosting a website on a server without the user having to acquire technical equipment. On the other hand, employees also have the possibility to check e-mails from home on their mobile phones. However, not most of them know that this is possible due to cloud computing. This service has gained an increasing importance over time due to its high efficiency and applicability. The market expanded a lot in the last years, and now it has become increasingly hard for companies to find a hosting provider that will keep their data safe and secure.

What is the connection between this and PCI Compliance?

PCI DSS is a standard designed by major credit card producing companies (such as Visa, Mastercard, American Express etc.) in order to help customers making transactions through a POS (point of sale) to feel secure and not be afraid that their data could be hacked and accounts emptied.

This set of regulations is very hard for companies to implement due to its difficult language and the level of knowledge it requires. Depending on the volume of transactions, they conclude annually, merchants are categorized in different levels. According to each level, they have to comply with a higher volume of regulations.

This is why hosting providers can be a very effective solution for companies in need, because they provide the service of keeping company’s data up to date, without having to worry about security and other issue. Hosting providers are an important issue especially for merchants in Level 4 or 5. Nevertheless, the PCI DSS standard provides some very precise regulations concerning virtualization and thus, companies are aware that it is not enough to have a hosting provider that is PCI compliant, it is also necessary for the company to fulfill the other regulations and not stop here.

But, as stated before in this article, for companies it can become a really hard task to have to look for a serious web hosting provider that can offer the most suited prices and services according to the company’s needs.

Penguin Web Hosting, the best on the market

Securehostingdirectory.com one of the most complete websites on the topic, has developed a top three most suitable hosting providers and PCI compliant. The criteria used implied reliability, level of security and customer service.

The first place was occupied for the second year in a row, by Penguin Web Hosting.

The website representatives have been very pleased with their customer services because they showed a genuine interest in helping the customer and were always available for any issues the company may face.

Their prices are not the cheapest on the market, but not the most expensive ones. If a company is looking for a good report between quality and costs, this hosting provider will receive the highest score. Receiving quality at an acceptable cost is an important matter that companies have to take into consideration.

They have a PCI Compliant plan shared which costs approximately 19.95$/mo and the option to cover both dual and single server options.

The only downturn that Secure Hosting observed regards the fact that Penguins make you send them your IP before being able to add it to ACL in order to be able to access SSH. Depending on the customer’s requirements, this does not have to be necessarily a bad thing. All in all, Penguin Web Hosting is currently the best service provider on the market for the second year!

Companies should take advantage of this type of information available online when they decide upon a certain hosting provider. Whether it is Penguin Hosting or another one, choosing upon this provider can become the choice regarding the approval of certification from PCI.

A complete and thorough research beforehand should be made in order to reach the best conclusion. Furthermore, companies should always bear in mind what they are looking for in a hosting provider, whether it is customer service provided non-stop or low costs, so that it can remain focused on fulfilling its objectives

A lot of people are quite overwhelmed by the requirements and subsidiary requirements of the PCI standard, but if you actually look at it, those requirements are not half as hard to meet as many people think, nor half as expensive to implement. Indeed, many of the PCI requirements are absolutely essential for anyone who deals with sensitive information online, especially information in the nature of credit card data and other similarly sensitive information that can lead to severe financial losses and loss of customers’ trust if breached.

Now the first step to being PCI compliant is to think about just how important being PCI compliant is to you. How much does it matter to you if your customers’ personal sensitive information, and more importantly – their financial information and credit card data is lost, hacked or stolen. Now of course you care about your customers’ welfare, but let’s examine some of the latest incidents in the online payment industry.

Generally speaking, when a breach of security occurs, the organization concerned does its very best to keep things under wraps, and to prevent this information from becoming public, but of course it does, as various clients initiate lawsuits and the banks impose fines for the amounts lost upon the vendor concerns. Hackers have exploited breaches in security in large companies to steal vast amounts of credit card numbers, and then have exploited those numbers, resulting in enormous losses to the vending company.

Of course, the losses come out of your clients’ bank accounts, but you’ll find that banks do not penalize customers for such losses, but instead will fine you, or your payment system provider. Ultimately, it is the vendor who ends up paying for any breach in security, and this places the responsibility for preventing such a breach directly on your shoulders, unless of course you don’t mind paying tens of thousands of dollars in fines and legal fees. For a larger company, such losses can amount to hundreds of millions of dollars, and this is not counting the loss of trust and the perhaps almost irreparable loss of reputation of the concerned company.

If you are a medium to large company, the people you put in charge of PCI compliance can be crucial to whether your company becomes PCI compliant in the near future or whether the situation is more or less ignored. You need to have dedicated people and skilled technical people in charge of getting your company PCI compliant, people who will master the latest software, and who moreover will ensure that regular testing procedures are initiated, and that everyone in the company form the bottom up obeys the PCI standards and norms.

Generally speaking, the number of transactions that your company processes per day or per year are what decides the level of security and moreover, the type of security that your require. Large companies use cloud based software security systems, that can oversee and handle the security of installations spread out all over the globe, with units in vastly diverse and distant physical locations.

Once your team implements the PCI standard, you then have to reeducate your work force to ensure that they do not unknowingly breach that standard, either through the use of high risk software and applications or else by breaching firewalls and by the irresponsible use and dispersion of passwords.

Once the reeducation of your work force is complete, it remains to test your system, whether local or global, for breaches in security. There are companies that handle the testing procedure and which can test your system on a quarterly or even daily bases. When breaches in security are located, they need to be sealed as quickly as possible.

Though the complexity of the PCI standard can seem overwhelming to the uninitiated, it is not so. Mostly, the PCI standard is just a matter of common sense, and of being conscious of security and of placing security over all other considerations.

Remember that massive hacking into restricted security areas poses a serious threat to the very future of online commerce, and as online commerce expands to englobe the world, it poses a threat to the future of world wide commerce itself. The PCI security standard has been implemented not to tyrannize over online vendors, but to protect them by initiating global action against hackers, by a unity of approach that covers the entire globe and that meets hackers’ attempts at intrusion with a wall of digital steel.

It is the only approach that will work, and the alternative is loss of trust in the online transactions themselves and a loss of the customers’ trust in vendors everywhere. What will the fate of online commerce be if people hesitate before entering their credit card information when making a purchase online?

Of course there are organizations like PayPal that cloak credit card information, but even this information can be breached. Lastly, while a hacker may profit immensely from stolen credit card information, someone has to pay the bills, and that someone is usually the vendors themselves.

Therefore, with the vendor in the hot seat, any compliance with PCI standards is an entirely defensive measure and in a vendor’s own self interest.



Penguin Web Hosting helps small business PCI compliance with cheap web hosting plans.


The new PCI standard is probably the best and finest defense against credit card fraud today. The PCI standard is composed of such a common sense set of rules that anyone who does not comply with it is truly taking an unnecessary risk of falling a victim to credit card fraud.

This is a risk that is all but unacceptable. Not only do you risk your customers’ personal and financial information, but you also risk massive losses in terms of time and money to your business, as well as the loss of your customers’ trust – a loss that may well be permanent in case of a serious theft of your customers’ information or a massive security breach of your systems.

The PCI standard covers all manner of transactions, including debit and credit cards, as well as e-purse and ATM’s, and even point of sale organizations. All PCI compliance involves for most companies is initiating a few simple and utterly necessary precautions to ensure that crucial data is not easily compromised.

For a large organization PCI compliance can be more difficult, not because PCI compliance in itself is hard to implement, but more because it’s hard to oversee every aspect of a larger organization, especially one with units or branches scattered all over the world. But it is perfectly possible for each of these branches to be PCI compliant. It might be difficult for the central administrative system to oversee all the branches that come within its hospices. However, these days there are cloud based systems and software that can oversee even a larger organization and even one with many online systems that are physically based at different points of the globe.

Now PCI compliance might at first seem to be rather complicated, with twelve minimal requirements and more than two hundreds subsidiary requirements. However, many of these requirements actually form a minimal standard of security, such as every person should certainly have even on a personal computer and which for an organization that processes sensitive data are an absolute must.

While some might be of the opinion that PCI solutions are expensive to put into place, this is usually the case of a large organization. For example, I have on my own machine security systems in place that are equal to the PCI standard, and I’m not even an online vendor, or at least I do not run my online vending systems from my personal computer. And that ultimately is the heart of the PCI standard. The reason the PCI standard has to be implemented in the first place is that many smaller vendors have a very laid back attitude towards security.

For example, you’ll have small businesses with owners using their main server for all sorts of risky activities, from a security point of view. For example, you’ll have owners surfing the net, or using chat software, or playing games, or using person to person downloading utilities, all of which are high risk behavior for a business that stores important credit card information, as well as personal information on its servers. Any of these applications can be a gateway for viruses and spy ware, and therefore a gateway for hackers to infiltrate the system.

Any of these activities can result in the theft of your clients’ personal and financial data, resulting in considerable loss to your clients and to your company, and perhaps in the ultimate destruction or debilitation of your business. And yet, for a small business security is not that hard to implement. All one needs to do is avoid installing high risk software that is unnecessary on your main server. You need to ensure the security of your networks, you need to ensure that there is a firewall in place, as well as make sure that all important data is protected by encryption algorithms. Make sure that your anti virus defenses are active and up to date. Restrict access to the main server on a need to know basis only, with the master password in preferably one person’s hands, and extremely limited access to anybody else who needs to use the server for purposes of business. And of course there should be regular monitoring and testing of all your system servers and networks.

However, if you are the owner of a small business, you should know that the onus of being PCI compliant is entirely upon you, and in case of fraud the entire cost of the breach will be upon your shoulders, as well as legal costs in the form of lawsuits and other resulting expenses. This can result in losses of up to fifty thousand dollars or more, which is an excellent reason for being PCI compliant.

There are two types of PCI Compliant shopping carts, the kind that is a SAS, such as a hosted cart such as Nexternal, or the kind that you download and install to your domain on your PCI Compliant Hosting Provider.

Whether you like it or not, sooner or later, you will have to decide upon an eCommerce solution to better manage your business and keep track of its evolution. Being successful does not imply attracting customers on your own, but rather to have a wide image of your business and the areas which require improvement.

By means of a well-developed, reliable and effective eCommerce solution you can achieve this objective. In addition, when it comes to satisfying the PCI compliance requirements and other such standards, you definitely need a platform to for maintaining your customers’ secure.

However, during the decision-making related to eCommerce solutions, one should analyze both:

  • Advantages
  • Disadvantages

You should know by now that there is no perfect or ideal eCommerce solution. Why? Simply because each business is different having different needs and objectives to achieve. Even within the same domain of activity, each business is unique having different goals, specific competitive advantages and other such features. In this way, there is no perfect eCommerce solution, even if eCommerce companies are constantly trying to develop new eCommerce software solutions to satisfy a wide range of needs.

Thus, you should stick to determining which the best eCommerce solution is for you. The most popular solution is not necessarily the best one for you. Similarly, if a specific eCommerce solution has worked for a giant business, this does not mean that it will work in the same way for you.

It is left for you to analyze the available eCommerce solutions and determine which software satisfies the greatest degree of your needs – that would be the right software for your business.


Nexternal eCommerce solution – pros and cons

Nexternal is a good example of eCommerce solution which allows businesses to strive in a competitive market and enjoy good results on the long run. In order to be confident that this type of eCommerce software would be suitable for your business you should first take a look at the advantages ensured. The disadvantages will not usually presented, but you can come up with disadvantages based on the testimonials of 3rd parties or by analyzing the features ensured.

Advantages: Within the category of advantages, in the case of Nexternal eCommerce solution we include:

  • PCI compliance: One of the most important aspects is fully satisfied, while customer security regarding payment and personal information is maintained 24/7.
  • Suitability for all business, regardless of their size: In this way, the Nexternal software is flexible and it fits almost all types of business;
  • Wide variety of features offered: Marketing and promotional tools, unique and personalized shopping cart experience, order processing system, effective reporting related to ordering, profit and dashboard, CRM tools and other such features;
  • Free trial available for merchants locate in the US and Canada: You can try and see how effective this eCommerce software would be for your business, how you can handle it and whether this is what you need or not;
  • Available demos: By means of a set of fictitious retailer, you can see how this software is being used and the importance of each feature;
  • Constantly adding new features: Innovation is always encouraged. The team from Nexternal is always looking for new ideas and tools to add, so that all businesses should find this software useful and appropriate for their objectives.


Disadvantages: There are also some aspects which might not be in your advantage. There are no disadvantages in the case of the Nexternal software, but there is an aspect which might not fully be in your advantage: too many features.

Having this in mind, depending on the size of your business, some of the features included in this package might be useless for your business, at least at the moment. Choosing eCommerce software implies effectively using all the available features. This is how you will get a good return on investment. Otherwise, if there are too many features you will make an ineffective investment.

Thus, you should make sure that all the available tools of Nexternal are useful for your business, or at least you will need these tools in the near future of your business. If not, then you should look for simpler eCommerce software solution that satisfies your current needs.


All in all, even if choosing the right eCommerce software solution seems difficult, all your research will be definitely worth it in the end. Ensuring the right tools for your business is crucial for long-terms success. Not using the right tool can jeopardize your business and the achievements until now.

PCI DSS 2.0, What’s New?

Feb-24-2011 By admin

In order to ensure cardholder data security, especially cardholder data information protection, the PCI Security Standards Council (PCI SSC) provides robust and effective standards to support payment and data security. These standards are known as PCI Data Security Standards also referred to as PCI DSS and are being developed for the payment card data protection based on a planned life cycle. At the end of the last stage of the life cycle process, stakeholders there was a meeting organized in October 28 year 2010 and launched the last PCI version: PCI DSS 2.0.

The main objective of these standards is to help organizations to ensure safe handling and protection of cardholder information within every step of the payment process. The PCI DSS provide a comprehensive framework for the development of an effective and reliable payment process while preventing and detecting security risks.

PCI DSS for merchants

The PCI Security Standards Council provides PTS (PIN Transaction Security) requirements for all PIN transactions for POS devices and other types of payment terminals. These standards represent the main framework for tools, requirements and specifications to help merchants’ to ensure cardholder protection.

To ensure the development of secure and highly-protected payment applications, PCI SSC created the PA-DSS (Payment Application Data Security Standard) which helps software developers and merchants in their work related to secured payment applications. There is also a list of Validated Payment Applications which the merchants should analyze and take into consideration. The Council also organizes trainings for individuals and companies for PCI compliance issues.

PCI DSS 2.0.

At the last meeting of PCI SSC in October 28, 2010 at Wakefield the participants were the main Council global stakeholders. It was then decided the implementation of PCI DSS 2.0 version starting on the 1st of January 2011. PCI DSS 2.0 is the latest version of PCI DSS and it was designed with the purpose of providing greater ease of PCI implementation for merchants. Along with PCI DSS 2.0 also launched was the PA-DSS (Payment Application Data Security Standard). In order to keep all merchants who use PCI compliance standards informed, a summary of changes was shared before the release of PCI DSS 2.0 where clearly presented was: the additional PCI requirements, clarifications and additional guidance.

However, related to the new version PCI DSS 2.0 it is important to know the following issues:

  • PCI DSS 2.0 does not involve any new special requirements;
  • The main clarifications are language modifications in order to ease the merchants’ understanding of PCI DSS;
  • The updated version of PCI DSS helps manage the evolution of risks and minimizes the threats;
  • The best practices in the industry are encouraged;
  • The revisions made by PCI SSC global stakeholders are related to the reinforcement of a thorough scoping exercise and the promotion of a highly effective log management for cardholder data security. Further related details regarding the summary of changes for PCI DSS 2.0 can be found at https://www.pcisecuritystandards.org/security_standards/documents.php?category=standards.

Along with the launch of PCI DSS 2.0 version a new lifecycle of three years just started for the development of standards. Even if the new PCI DSS 2.0 standards come into force starting on 1st of January 2011, the validation against the previous PCI compliance standards (PCI DSS 1.2.1.) is still allowed until 31st December year 2011. Even if the PCI SSC encourages merchants to make the transition from PCI DSS 1.2.1 to PCI DSS 2.0, the year 2011 allows stakeholders and merchants more time to understand the differences between these two versions and also the implementation mechanism for cardholder data maximum protection.

All in all, due to the feedback received from merchants and global stakeholders on PCI compliance standards, the PCI SSC was able to develop a valuable, reliable and thorough security framework for the cardholder data protection under the form of PCI DSS 2.0. Even if PCI SSC was created by major card brands, all merchants and banks are encouraged to join the Council. There are only a few changes between PCI DSS 1.2.1 version and PCI DSS 2.0 version but it is important to correctly implement the latest version and be aware of the these changes.

Finally, the PCI SSC is continuously trying to provide ways and solutions for an ongoing PCI development and enhancement of PCI DSS, PTS and PA-DSS requirements so that the cardholder’s information will be secured and protected.

In a recent trend bank account numbers are being more commonly stolen by data thieves.  And this leads to a question, should the banking industry setup a set of standards to protect the transmission of bank account numbers, similar to the PCI compliance setup by the payment card industry?

Bank account numbers have always been a target for scammers, however with it being increasingly harder to fraudulently charge a credit card and get away with it scammers are now turning to bank account numbers.

One scam in particular is where the buy in bulk bank account numbers, and then setup fake subscriptions and then ACH debit your checking account via e-checks which don’t require a signature.  The amounts are small in the $20-30 range, and will occur every month, until you close the account.

Unfortunately I was recently a victim of this very scam, through my investigation my bank account number was likely sold to scam artists in Europe from a representative of the company in India which my mortgage provider uses to process payments and provide billing and customer service.  I must say being a security expert this took me by surprise.

The echeck which appeared on my bank account had my name but a different, nearby address.  I believe this address to be chosen at random by the scammer, so I will think someone locally stole my account info.

Upon calling the number on the echeck, I was able to reach a person one time, who said that my bank account number was enter on a website for a subscription.  She claimed they were just an innocent payment processor and it was the first time she heard of someone being charged fraudulently by her company.  She also could   provide no info of what the website was, only a company name, of which I can find no record of, and no website for. She then directed me to a website which according to the whois record is owned by the Goodman Group Inc.  She said to fill out the contact from there, and they would send me the IP address of the person who used my account number, she also took my email so she could email me directly, as she claimed to not directly have access it the IP.  The IP was never sent to me, and I don’t believe my bank account number was used by anyone other than the scammer which is billing several accounts in bulk.  The website she directed me to pings to a server outside the U.S. in Luxembourg.  It also did not mention anything about their payment processing service, nor could I find any website of theirs which offered these services.

A search online shows numerous other people also charged fraudulently by the Goodman Group (AKA Goodman Brothers), or someone continually using the Goodman Group to process these fraudulent bank drafts for them, including at least 18 who have the same mortgage provider I do (I no longer use this mortgage provider).

I have reported this incident to law enforcement and other government agencies and also mentioned that it appears to be part of very large scam, and as of yet received no response.

I have also not been credited by my bank (Fifth Third Bank) yet for this fraudulent echeck, although they claim they are investigating the issue and I may receive credit for it in the future.

I found it surprising that the bank does not have the means in place to catch these, for example something similar to when the credit card provider calls or emails you to say they noticed a suspicious charge that appeared to your credit card. For my account in particular there are very few bank drafts to it every month, all in the same, or almost the same amount, and to major companies, IE. Bluecross Insurance, my mortgage company, and a payment or two to my credit card company, so this transaction should have stood out for a number of reason.  In additional the supervisor at the Fifth Third Bank said she was very familiar with this type of scam.

That said the scammers seem to be able to easily get away with this kind of fraudulent bank drafting, and they know banks will/can do little to stop it and law enforcement will likely not bother investigating small charges.  In most cases their charge will likely go unnoticed at least for several months by the average account holder (in my particular case I noticed it within 24 hours of it posting).

The sale of personal data information seems very wide spread, in an undercover investigation an employee of an Indian customer service call center offered to provide 100,000 bank account numbers and other personal data for about $25 each.  Which in a country where the average salary is about $2 per day, you can see what kind of lucrative business that can be.

That being said, what can be done about this situation? If we look at PCI compliance, if this happened with credit cards, the major credit card providers would like see that a high number of credit cards were used fraudulently after also being used at a certain business  (in my case the mortgage company).  They would then do an investigation, and find out that the credit card data was likely not properly protected and they were in violation of PCI compliance and would have hit the organization with a steep fine to help ensure this would never happen again, or they organization would have been PCI compliant ahead of time and this would have never happened.

Plus if they were fraudulently charging credit cards, they would get hit with so many chargebacks, that they would likely lose their merchant account and/or have so many fees from the chargeback that it would be difficult to make as big as a profit from it.

Granted the payment card industry has more to lose, as if there was high fraud online people would just stop using their credit card online, with banking, people can’t give that up, at least not as easily.

However as an IT security professional  I think fraudulent bank drafts are just at their infancy, and will be increasing exponentially as scammers start turning to this rather than billing credit cards, and to prevent it the banking industry needs to take a stand and first be able to more easily detect likely fraudulent echecks, and second setup an industry standard for anyone who processes ACH drafts, including echecks, online echecks, checks by phone, and even anyone who handles checks, or anything with the bank account number.  There should also be stiff fines from the banking industry by any organization which compromises personal bank account data.

Let me know your comments on what you think of a Banking Industry Compliance Standard, and be sure to check your online bank statements regularly.

Update: After some initial confusion, Fifth Third Bank has issued me credit for the disputed amount.  They have contacted the bank of first deposit of the check who can take 30-120 days to either approve or deny the claim, and if they deny it they must provide conclusive evidence that the check was properly negotiated.  Fifth Third Bank did say my credit would not be revoked regardless of they outcome, which was very nice of them and appropriate for the situation.

PhoneFactor is the leading global provider for phone-based two-factor authentication and has developed a simple, effective and efficient two-factor security system which ensured protection against today’s biggest threats. The latest version of PhoneFactor features a multi-factor authentication system. They also provide API’s (SDK’s) in PHP and Perl, as well as Ruby and Java, which means it is very compatible with your Linux server.

Nowadays, the two-factor authentication is no longer an option, but a must – in the case of more than 80% of businesses. The good news is that PhoneFactor is constantly upgraded in order to comply with PCI Data Security Standards and requirements, HIPAA, FFIEC Guidelines and other such industry regulations.

The latest PhoneFactor improvement is the achievement of SA70 Certification which proves the adherence to the rigorous requirements set by Statement No. 70 on Auditing Standards. For the companies and organizations that operate in a compliant environment, the compliance with SAS70 is a necessity.

In some cases, in order to maintain compliance with the industry regulations like PCI DSS (Payment Card Industry Data Security Standards) the two-factor authentication is an important ingredient for rigorous security policies. The best available solution which combines ease of use with PCI standards compliance is PhoneFactor.

PhoneFactor and PCI compliance

Whether it is the holiday season or a normal business day, the customer’s data and your Linux server must be protected against the latest threats. Due to the fact that organizations and merchants must ensure cardholder data protection and security for customers’ credit card information, the PCI compliance is an important issue.

This is why PhoneFactor is a rapid, efficient and cost-effective method to fulfil all PCI compliance requirements and standards. In addition, PhoneFactor also adds more security thus preventing unauthorized access to credit card data and information on your Linux server.

Moreover, PhoneFactor can also be for a large number of employees and at worldwide level because there are no requirements for end users certificates, not security tokens.

How does PhoneFactor work?

Simply put, PhoneFactor is a phone-based authentication service that serves as the second factor in a two-factor authentication system that allows sysadmins to administer the web and includes support for services such as VPN, Citrix, and SAP. There are two stages required by PhoneFactor authentication: first through the usual login process and secondly by providing a PIN/password (or pressing #). In this way, using the two-factor authentication model requires the user to enter a login ID and PIN/password. By means of a system phone-based like PhoneFactor, the need for using an external device to login is eliminated and also the costs incurred by the implementation of a two-factor authentication are reduced.

Besides these advantages, PhoneFactor also offers a “higher standard of security technology” which refers to fraud alerts occurred due to calls while logging in. In such situations, the user can alert IT related to fraudulent login attempts.

After downloading PhoneFactor there are 2 main possibilities:

  1. Choosing install PhoneFactor Agent within your environment
  2. Choosing to deploy a Linux compatible PhoneFactor Direct SDK

PhoneFactor advantages

Choosing PhoneFactor represents one of the best solutions available, but it is much easier to evaluate its usefulness by analysing the advantages it could bring a business:

  • Security strengthened: By means of the fraud alerts additional protection is ensured as well as other such new features that increase to overall security.
  • Cost-reducing: Using the latest PhoneFactor version there are no additional costs for IT required, which is an important for a business where the main objective is to minimize the costs and maximize the profit.
  • Ease of use: Using PhoneFactor is much more convenient as compared to other methods, and the staff training required does not take too much time or costs.
  • Deployment time frame improved: Developing a successful business also involves challenges and risks. But, by using PhoneFactor everything will run smoothly and will be easily implemented within the normal business cycle as it will be compatible with currently Linux compatible hardware and software. PhoneFactor meets all PCI compliance requirements and usually, the IT team can have it up and running in just a few hours’ time.

There are plenty other advantages guaranteed by using PhoneFactor, and depending on each business these advantages can vary.

PhoneFactor Compatibilities: Linux and Microsoft

The two-factor authentication model PhoneFactor is compatible with all servers that use RADIUS, including Microsoft IIS servers and Linux servers with PAM (Pluggable Authentication Modules). The PhoneFactor includes multiserver support, Active Directory integration and enterprise modules.  And by using the SDK it can be integrated into your existing software.

These being said, PhoneFactor is an essential tool for almost all businesses, its implementation and use is flexible and its effectiveness is maximum. For ensuring cardholder data protection and security by means of PCI compliance, the PhoneFactor will satisfy all these needs.

How To Get PhoneFactor For Free

If you have 50 users of less you can sign up for a PhoneFactor account, and download the SDK right from www.PhoneFactor.com For more than 50 users contact them for pricing.