Archive for the ‘Compliance’ Category

« Older Entries

Mobile Payment Security & Compliance

by FireHost Evangelist on November 30th, 2011

There isn’t much we can not do with our smartphones anymore, is there? Making mobile payments is no exception. There’s a coming wave of new apps and technologies that allow consumers to purchase everything through their phone, literally eliminating the need to carry an actual wallet (almost). FireHost senior security engineer Chris Hinkley wrote a guest article for SecurityWeek on the safety of mobile payments and PCI compliance implications.

You can check out the full article to learn more about why mobile payments are still vulnerable, how the PCI Security Standards Council is tackling the issue, and what the next year will bring for this popular consumer trend.

“There is vagueness around the safety of consumers’ credit card numbers when they are transmitted through mobile applications. A website that’s been modified for a mobile platform is presumably safer than an actual mobile application, making the latter considered not compliant according to the PCI DSS Council. If your business is working on a payment app to make transactions easier or more convenient for customers, you must consider this before deploying the app into the iPhone, Android, Blackberry or other marketplace.”
(more…)

Tags: , , ,
Posted in: Compliance, Security | 1 Comment »

FireHost Joins The Cloud Security Alliance

by FireHost Evangelist on August 3rd, 2011

FireHost is honored to announce a partnership with the Cloud Security Alliance (CSA). FireHost will serve as a member on the CSA Advisory Council and will be working with the other CSA corporate members to support thought leadership and endorse best practices for providing secure cloud hosting environments.

Cloud security is a hot topic throughout the industry and the discussion is not complete without mentioning how the Cloud Security Alliance (CSA) has been influential in ensuring major security issues are addressed and averted. Cloud Security Alliance (CSA), a non-profit organization formed to promote security in cloud computing and education on the uses of Cloud Computing to help secure all environments.

FireHost’s deep experience in virtualized and secure hosting is a welcome expertise for The Cloud Security Alliance,” said Jim Reavis, executive director of the Cloud Security Alliance. “We’re confident FireHost will be an asset in helping the CSA continue to innovate in developing best practices for securing providers in the cloud.

(more…)

Tags: , , , , ,
Posted in: Compliance, FireHost News, Security | No Comments »

Decoding PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications

by FireHost Evangelist on June 24th, 2010

The main directive of the Payment Card Industry Data Security Standard (PCI DSS) Requirement 6 is to “develop and maintain secure systems and applications.” At a high level, the requirement seems reasonable and the language in the title is simple and straightforward. Closer investigation, however, reveals a much more complex compliance scenario.

While most of the contents of Requirement 6 are not technically difficult to achieve, maintaining the balance between an eCommerce organization’s business requirements, brand integrity, usability requirements, and security is challenging. It is the responsibility of the development team to weigh the best interests of the organization against its wish list, all while adhering to the best practices and requirements set forth in the PCI DSS standard to protect the organization and its customers.

Requirement 6 affects almost every aspect of the development process, from the planning stage to post-launch maintenance. Some of the provisions of Requirement 6 are very specific in nature and will vary depending on your deployment and development environment, and thus, this article will cover all of the general compliance guidelines.

System Configuration, Maintenance and Security

As with all of the PCI DSS requirements, it is important to consider all of the required accommodations early on and throughout the planning phase. The scope of Requirement 6 reaches beyond code to the configuration of the development and production environments as well as the administration of both.

This includes simple things, such as the requirement in Provision 6.1 that all systems (both production and development servers, as well as all developer workstations) have the latest security patches installed within 30 days of their release (or 90 days if your company’s policy requires roll-out testing); and that all security patches are tested against the vulnerability they fix prior to deployment in a production environment. Provisions 6.3.2-6.3.3 require that production and development environments be completely separate, and that a policy exists to provide a separation of duties, responsibilities and privileges between users with access to either system.

Additionally, specific system vulnerabilities may be addressed in code or as system configuration adjustments. The solution to each will be different for each configuration. Most PCI-certified vulnerability monitoring solutions will provide additional, detailed guidance for each specific instance discovered.

(more…)

Tags: , , ,
Posted in: Compliance | 2 Comments »

Empower Your Employees and Protect Your Online Business in Five Easy Steps

by FireHost Evangelist on May 25th, 2010

True story – visiting a client one time, our CEO Chris Drake came across a sales guy who had his computer access credentials taped to the palm rest of his laptop. It turns out the company’s entire customer information database was synced to the sales person’s laptop. If he lost it (or if it was stolen) you can only imagine the consequences.

This vision has haunted us ever since. The responsibility of keeping your company’s data safe is one that’s shared by the whole team, and should make them feel empowered. Hacker prevention for companies that store data and/or transact business online isn’t as simple as hiring a secure web host, it’s a 24/7 job that requires good physical and virtual housekeeping from everyone. Luckily, it’s not as tedious, time consuming, or boring as cleaning your actual home, and it doesn’t require you to pat down your employees each time they walk out the door.

Here are five best practices that every one on your team should put into action to keep the company safe from cyber criminals.

#1 Mobile Security
Whether you’re a swanky, MacBook Pro toting executive or a lowly intern who has company email syncing to your phone, you’re responsible for data security when working remotely. Password protecting your mobile devices, and your software, is a ridiculously easy and yet commonly overlooked step that can prevent a world of loss. Password protect everything that your employees work on and access remotely. And we mean everything – mobile phones and laptops, email accounts, VPN connections, and SaaS programs used for business. In addition, don’t store or “remember” passwords for critical services. Require that every employee manually type his or her credentials every time. It’s really not as daunting as it sounds. It takes just a moment to enter a password.

(more…)

Tags: , , ,
Posted in: Compliance, Security | No Comments »

Decoding PCI DSS Requirement 4: Encrypting and Storing Credit Card Data

by FireHost Evangelist on May 19th, 2010

Data encryption seems complicated, and in most cases it lives up to that complexity. This is especially true when encryption requirements go beyond the basics, such as names and passwords, to include highly confidential information like social security numbers, credit card numbers, and protected health information.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that help govern the way credit card information should be handled and protected. Its nomenclature can oftentimes be a bit confusing. So in a short series articles (starting with this one), we’ll break down the most important elements of the PCI DSS as it relates to data encryption.

PCI DSS Requirement 4

Requirement 4.1 of PCI DSS addresses the encryption protocols and instructs any entity that accepts, handles, transmits, or stores credit card data to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”
 
Let’s start with understanding what information is encrypted per Requirement 4. PCI DSS requires that all cardholder data (specifically the cardholder’s name, the card number, expiration date, and billing address) be encrypted when stored or transmitted.

Here are some common questions and answers about Requirement 4 to help developers navigate through it.

(more…)

Tags: , , ,
Posted in: Compliance, Technology | No Comments »

« Older Entries