Despite the media attention to viruses and other malicious software, a major source of vulnerability in the payment industry remains lack of cardholder data protection stored by merchants, acquirers, services providers and third parties suppliers.

Small businesses are often the focus of criminals to gather this valuable information because of their lack of technical security expertise and unawareness their suppliers and service providers manage the security of their payment systems. However, leading services providers are not excluded, with important consequences (e.g.: earlier this year Global Payments 1.5 million card numbers breach).

As expected, the HHS (the US Department of Health and Human Service) engaged KPMG to conduct the audits between now and end of 2012 while a second vendor was selected to support with the selection criterion for covered entities.

Now, as of November 2011, the pilot phase of the program has been announced and provides details on:

After Square, Paypal, SalesVu ... innovative ways to accept mobile payments with a Smartphone or tablet, the PCI Council had to respond to the payment community. According to a new paper published recently, the PCI Council provides guidance to merchants that accept mobile payments via smartphone or tablet to use validated point-to-point encryption solution (P2PE).

The PCI Council has raised two scenarios:

The North American Electric Reliability Corporation (NERC) has published ten CIP standards (CIP-002-5 through CIP-009-5, CIP-010-1, and CIP-011-1) which include a new and revised NERC Glossary definitions and a proposed implementation plan. The documents have been posted on the NERC website for a formal 60-day comment period which will be accepted via an electronic form. The implementation plan identifies each requirement in the already-approved Version 4 CIP standards and identifies how the requirement has been treated in the Version 5 CIP standards.

Link to the NERC CIP Standards.

A new survey conducted by Ponemon Institute, sponsored by Experian present the findings of the Reputation Impact of a Data Breach. Ponemon Institute also examined how organizations were affected by a data breach.

How a negative event such as a data breach can affect the reputation and brand image of an organization and what steps are important to take in order to restore them are also covered in this report.

Solvency II will change investment practices underlying products and the consequential business models supporting those products. While there are signs that some of this restructuring is already taking place.

Solvency II has the potential to reshape the insurance industry's product offering and may result in some products being taken off the market (source: www.pwc.com).

When the Dodd-Frank Wall Street reform and Consumer Protection Act was enacted in July 2010, many said that it was the most significant remake of the US financial services sector since the Great depression. The six months following passage have demonstrated that Dodd-Frank's reach impacts not only every segment of the financial services industry but also the rest of corporate America in ways that may not have been fully anticipated (source: www.pwc.com).

More...

The PCI SSC issued a list of questions designed to help software vendors in further differentiating whether or not a software application is eligible for a PA-DSS assessment and listing by the PCI SSC as part of the PA-DSS program.

The PCI SSC document could be downloaded here: Applications Eligible for PA-DSS Validation.

Ponemon Institute and Tripwire Inc. conducted The True Cost of Compliance research research to determine the full costs associated with an organization's compliance efforts (source: www.tripwire.com).

More...