“After TJX and, more recently, the Heartland breach shining a spotlight on credit card data security, retailers are under a tremendous amount of pressure to protect their customers, and the PCI Data Security Standards are an important part of that,” said Steve Dispensa, PhoneFactor CTO and co-founder. “PhoneFactor enables rapid, cost-effective compliance with PCI DSS and adds a critical layer of security to prevent unauthorized access to highly sought after credit card data.”

By leveraging something every user already has — a phone — to authenticate user logins, PhoneFactor is ideal. A user simply logs in with a username and password. Instantly, his phone rings. He answers, presses # (or enters an optional PIN), and is immediately granted access. PhoneFactor also offers text messaging and voice biometric options.

Because there are no security tokens to provision and no software or certificates for end users to install, PhoneFactor can quickly be enabled for large numbers of employees at retail locations worldwide.

“PhoneFactor provided New York & Company with rapid two factor authentication for PCI DSS compliance requirements that was extremely easy for our employees and partners to use,” remarked Bill Voit, CIO. “Our IT department had it up and running in just hours and all users were able to use it within a few days.”

PhoneFactor has been part of countless PCI DSS audited customer implementations. With PhoneFactor, all user data is stored within the customer’s network and advanced logging is available for auditing purposes. In addition to meeting PCI DSS requirements for two-factor authentication, many retailers incorporate PhoneFactor’s fraud alerting capabilities into their incident response plans.

According to the PCI Security Standards Council, the updated PCI standard, which will now be refreshed every three years instead of two, was based on hundreds of pieces of feedback. PCI DSS 2.0 incorporates a stronger emphasis on scoping sensitive data and a more risk-based approach for assessing vulnerabilities. Some believe, however, that the bigger news is not what IS included in the revised standard, but what IS NOT included.

“I think the reaction to what’s missing is the most important part of this announcement because it will push the council to move faster on areas they have not yet,” Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com. “A lot of fundamental questions are still unanswered.”

A summary of upcoming changes to the PCI DSS is available online at https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf.

The onsite assessment, which must be completed by a PCI QSA (Qualified Security Assessor), will validate compliance with the twelve requirements set forth in the Payment Card Industry Data Security Standards. The PCI DSS requirements are designed to provide increased controls around data and its exposure to compromise.

Heartland recently announced that it expects to take a significant loss in Q3 resulting from more than $12.6 million dollars in fines from Visa and Mastercard, legal fees, and administrative costs. Given that 65% of the cost of a typical data breach is due to lost business from new and existing customers, none of which is included in the $12.6M figure, this may be just the tip of the iceberg for Heartland.

Pained over the cost of compliance? It’s nothing compared to the cost of a breach. Ask Heartland.

The Council previously announced the summary of changes between version 1.1 and version 1.2 to ensure awareness of the coming latest changes to the standard. Version 1.2 includes clarifications and explanations of the requirements that improve flexibility to meet today’s security challenges and ensure organization’s can adequately comply with the standard. While version 1.2 does not introduce any new major requirements to the existing 12 in place since the Council’s inception, the updates do change some practices, such as the sun-setting of implementations of Wired Equivalent Privacy (WEP) wireless security by June, 2010.

“This latest revision to the PCI DSS is welcome news for merchants and service providers as they grapple with the latest security threats to their payment transactions systems,” said Diana Kelley, partner and analyst with SecurityCurve, a data security consultancy. “The clarifications and language revisions should go a long way in easing implementation questions and help to reduce compliance costs.”

Since the Council’s inception in Sept. 2006 and the release of version 1.1 of the PCI SSC, its Participating Organizations and Board of Advisors have been providing feedback on the standard, with global industry input into the revisions. This follows the established lifecycle process that will ensure that the PCI DSS standard is revised and updated on a two year cycle. Participating Organizations are given the opportunity to receive early drafts of all pending revisions to the Council’s standards and provide a bulk of the feedback during this process. PCI DSS version 1.2 was the primary discussion topic at the Council’s recently concluded and successful community meeting in Orlando, Fla., in which more than 500 attendees came together to begin the process of strengthening the standards even further.

“It is especially gratifying to know that version 1.2 of the PCI DSS is inclusive of global industry feedback,” said Bob Russo, general manager, PCI Security Standards Council. “This ensures that we continue to offer merchants and service providers a pathway to protect cardholder account data that is sensible and achievable.”

For More Information:
More information on the PCI Security Standards Council and becoming a Participating Organization please visit pcisecuritystandards.org, or contact the PCI Security Standards Council at participation@pcisecuritystandards.org.

About the PCI Security Standards Council
The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.

The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors and other vendors are encouraged to join as Participating Organizations.