PCI Council Advice on Threat Management

December 15, 2009 by ADMIN
Share |

By Robert Siciliano, ID Theft Expert and Security Consultant to Intelius

Security professionals intuitively think proactively.

Our job  is to predict and prevent what the bad guy will do next. My job specifically is to instill this mindset into you, the consumer,  SMB or large corporate enterprise.

Bob Russo, General Manager and Rockstar of the PCI Security Standards Council reminds us all in this Business Week article that it’s not all about prevention.

Sage advice:

Many businesses are familiar with the PCI Security Standards Council’s requirements, yet many card fraud incidents go undiscovered for long periods of time.

In fact, according to Verizon’s 2009 Data Breach Investigations Report, 75% of compromises were discovered at least weeks after the compromise.

Data security is not all about prevention; it also requires detection and monitoring.

In the event of a breach or card fraud, proper monitoring can detect and eliminate additional fraud quickly.

Thus, with the holiday season in full swing, it’s a great time to reconsider your company’s log management and monitoring. Consider the following tips:

1. Ensure your organization keeps timely, accurate, and unaltered records of what has taken place within the cardholder data environment (who, what, when, and how) to protect it in the event of a data compromise and resulting investigation.

2. Monitoring also can include physical surveillance. Closed-circuit monitoring of POS terminals can detect suspicious or fraudulent behavior.

3. Even when you are at your busiest, you simply cannot afford to overlook monitoring as a primary detector of card fraud and the trigger to eliminating ongoing criminal activity.

And my advice: For your own good, protect your identity.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

* * *

Stay Informed With ISR News Alerts:

Email:

by FeedBurner

* * *

Robert Siciliano is an expert on personal security and identity theft as the CEO of IDTheftSecurity.com. An American television news correspondent, security analyst, and author of “The Safety Minute: How to take control of your personal security and prevent fraud”. Featured on the The Today Show, CBS Early Show, CNN, MSNBC, FOX, CNBC, Inside Edition, EXTRA, Tyra Banks, Stern, and in USA Today, Forbes, Tech Republic, SC, CSO, Search Security, Tech News World, EWeek, SecurityInfoWatch, NY Times, Boston Globe, LA Times, Wash Post, Chicago Tribune, AP, UPI, Reuters, and Entrepreneur.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Insider Threat, PCI, PCI Security Standards Council, Robert Siciliano, Sarbanes-Oxley, Uncategorized, due diligence, hackers, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

One Comment on PCI Council Advice on Threat Management

  1. Michael Bacon on Tue, 15th Dec 2009 2:21 pm

    2. I will keep on saying it until they nail the lid down … there are two main types of controls: Preventative and Detective. They are not mutually exclusive, indeed they work best in conjunction.

    And, when it comes to issues with payment cards, a detective control applied to individual cards is that of checking for abnormal transactions. This has a parallel in intrusion detection systems (IDS) technology, in looking for anomalous traffic (e.g. port scans). But in IDS, we can also consider the “blended attack” and the occurance of low-level probes at all external network connections, and deduce that an attack is taking place or being set up. The parallel for this in the payment card environment might be anomalous transactions on a variety of cards used at the same ATM, or in the same chain of garages, or in the same type of Chip-n-PIN machine, or within the same time-span. But, AFAIK, this type of detective control is not in use … and might currently be (too) ‘challenging’ to implement.

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!