Security News Curated from across the world
Companies that are approved as PA-QSAs will be recognized in a Council maintained and published list and can begin conducting PA-DSS assessments in accordance with the PA-DSS Security Audit Procedures.
All companies that were previously recognized as PA-QSAs under Visa PABP will need to enroll and re-validate as a Council PA-QSA.
http://www.net-security.org/secworld.php?id=6025
The council noted that Visa created the standard to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 and PIN data, and support compliance with the PCI DSS.
PCI data security standards: Don’t blame PCI DSS for TJX troubles, IT pros say: Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines. Banks neglect responsibility for data breaches, some say: TJX has become the poster child for bad data behavior, but some believe the bank and credit card companies aren’t accepting enough responsibility for the data breach epidemic.
The addition of PA-DSS comes as merchants fight for more control over the data they store and as attackers target Web applications with growing zeal.
Last month the National Retail Federation (NRF) sent a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data.
NRF Chief Information Officer David Hogan wrote that retailers should not have to store credit card numbers because doing so increases the risk that hackers will try to steal the information.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1281251,00.html
For many companies, especially large ones using older payment applications, Visa’s mandate could mean “tens of millions of dollars” in upgrades to new technologies over the next few years, said Jim Huguelet, an independent consultant in Bolingbrook, Ill. The mandates will also “by proxy” force vendors of payment applications to finally start implementing security features that have been recommended by Visa and others for some time now, he said.
“This is a really major step forward for the industry in asking payment application vendors to step up and support more directly the compliance efforts of their customers,” Huguelet said. “Now it has become clear that payment vendors have to make their software support security standards” or risk being cast aside by their customers, he said.
Visa’s mandates have been expected for some time and are designed to address long-standing security weaknesses in the applications merchants use to conduct payment card transactions. The biggest concern has been the fact that many payment applications now in use are designed to store data such as the full magnetic-stripe information from the back of cards, card-verification code numbers and PIN data. Storing that data has made payment systems an attractive target for hackers and has long been considered a fundamental security weakness. It is a practice that has been explicitly banned under PCI.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9044159&source=NLT_AM&nlid=1
The bill would provide notice to consumers, telling them which retailers lost their credit or debit card information, and when the information was lost. It would require retailers responsible for data breaches to assume all costs of consumer notification and card replacement. It also would require retailers to follow key provisions of the payment card industry data security standards to ensure proper retention and protection of credit and debit card information. “Passage of this legislation is a great example of credit union teamwork and demonstrates the strength of our comprehensive advocacy efforts,” California Credit Union League President and CEO Bill Cheney said in a statement. “It is extremely gratifying to credit unions that the state Senate has approved the bill by such an overwhelming margin.”
The California Retailers Association opposes the bill. The group took out a political ad in the Sacramento Bee, with support from the California Bankers Association. It claimed that credit unions are exempt from the data security provisions.
The CCUL said they already meet those requirements under existing laws.
The full text of the bill is available online through the California Legislature’s Web site.
http://www.darkreading.com/document.asp?doc_id=133382
The minister was addressing a press conference a day after the federal cabinet approved the Prevention of Electronic Crime Bill 2007. The Federal Investigation Agency (FIA) has been given the mandate to probe
cases falling under the preview of the e-crime law.
Awais Leghari said the proposed law titled as Prevention of Electronic Crimes Bill 2007 offers penalties ranging from six months to 10 years of punishment for 17 types of cyber crimes, including cyber terrorism,
hacking of websites and criminal access to secure data. Thirteen of the crimes listed under the law are bailable.
http://www.paktribune.com/news/index.shtml?187463
“In essence, the way the laws are phrased now, there is no way to ever comply… even as a non-security company,” says researcher Halvar Flake, a.k.a. Thomas Dullien, CEO and head of research at Sabre Security. “If I walked into a store now and told the clerk that I wish to buy Windows XP and I will use it to hack, then the clerk is aiding me in committing a crime by [selling me] Windows XP,” Dullien says.
“The law doesn’t actually distinguish between what the intended purpose of a program is. It just says if you put a piece of code in a disposition that is used to commit a crime, you’re complicit in that crime.”
Dullien says his company’s BinNavi tool for debugging and analyzing code or malware is fairly insulated from the law because it doesn’t include exploits. But his company still must ensure it doesn’t sell to “dodgy” customers. Thierry Zoller, security engineer for German security firm n.runs, says he has removed his homegrown Bluetooth hacking tool, and renowned PHP researcher Stefan Esser earlier this month took down all of the proof-of-concept exploits he had developed for the Month of PHP Bugs in March.
It’s unclear whether the long arm of the German law could reach them, so some aren’t taking any chances: The exploit-laden Metasploit hacking tool could fall under German law if someone possesses it, distributes it, or uses it, for instance.
“I’m staying out of Germany,” says HD Moore, Metasploit’s creator and director of security research for BreakingPoint Systems. The law basically leaves the door open to outlaw any software used in a crime, notes Sabre Security’s Dullien.
Interestingly, German lawmakers met plenty of expert resistance to the computer crime law reforms — but passed them anyway. Lindner says he told officials that the German implementation of the EU Cybercrime Convention — from which the law originated — is not in line with the EU version, which excludes security industry, academic, and private security research. Dullien says he thinks legislators were pressured to pass a new law because the old one was flawed. “And they had to implement the EU directive on cybercrime, making it illegal to provide software whose ‘principal purpose’ is committing a crime,” he says.
The law, which went into effect on August 10, mandates fines or prison sentences for any person who violates 202a or 202b “by providing access to, selling, acquiring, leaving at the disposition of someone, distributing or otherwise making accessible” passwords or access control information.
http://www.darkreading.com/document.asp?doc_id=132255