There are a couple interesting PCI developments coming over the next year. As I mentioned in Regulation Roundup back in February, the PCI deadline for unattended, Point-of-Sale PIN entry devices is July 10, 2010. These are those standalone ‘Pay for your parking’ machines, gas station terminals, ticket kiosks, vending machines and any other terminal where a PIN might be entered. First, July 1, 2009, was the deadline for Triple-DES to be mandated for all debit transaction processing. And next July, all fuel pumps (and like terminals) will need to have encrypted PIN entry pad, be able to encrypt the PIN itself and process using TDES. I imagine there will be another mad dash next spring for merchants to get in compliance.
The other PCI piece is come summer 2010, PCI will be making some regulatory changes to update PCI standards including 3rd party audits (Level II), tokens, end-to-end encryption and potentially Virtualization Security. Some of these changes should help in protecting our data.
And if you think skirting regulations might be a money saver, take a look at this article where the FTC has recently fined ChoicePoint for not adhering to the agreement made in 2006 for the huge 2005 data breach. They just got whacked with another $275,000 for removing a database security monitoring tool.
26 Short Topics I’ve noticed Regulatory Compliance, especially PCI, comes up frequently. Maybe it’s the constant surveys, startling numbers, never ending breaches and media reports or maybe, it’s that PCI-DSS, while not perfect, affects almost all of us and it’s like we’re in it together. You might not know, get along with or like your neighbor but if you shop at the same store and they are breached, suddenly you’re both in the same boat - ‘Hey, that happened to me too!’ It’s one of those things that we all should care about.
- #18 out of 26 Short Topics about Security
- previous stories: 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1
UPDATE - Added 10.22.09: ChoicePoint would like to clarify the characterization of the FTC situation and I'm happy to include this for accuracy:
"Your piece titled "Will you Comply or Just Check the Box" touches on recent ChoicePoint/FTC news and the company would like to request a clarification.
1. In regards to your report that a "fine" was levied by the FTC
a. While the Commission has authority to seek a civil penalty, http://ftc.gov/ogc/brfovrvw.
release and has since revised its press release to correct this point. The payment was made pursuant to the courts equitable authority to address compliance with its orders. The payment is not punitive in nature and neither the Order nor the FTC press release (as modified) characterizes the payment as a fine or a penalty.
Thank you so much for you time and attention. We would very much appreciate your correction of the record."
- Not a problem, thanks for the update and appreciate the clarification. ps