Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 1

Happy New Year!It’s hard to believe that 2010 is now behind us. And what a year itwas! With the recent release of PCI DSS and PA-DSS version 2.0; the further guidance documents by the PCI SSC, the Card Schemes and ourselves; the new PFI (PCI Forensic Investigator) and ISA (Internal Security Assessor) programmes, it certainly was a busy year. A big thank you to all our customers and partners for their commitment to keeping the payments network secure and achieving the overall 28% card fraud reduction in theUK in 2009*.

As we enter 2011, we’re faced with a set of new challenges as well as the old ones. In this issue we touch on hot topics such as cybercrime, mobile security and cloud computing, as well as topical news from the industry and why you should be watching out for the Olympics.

It’s undeniable that 2010 was the Year Of The Cloud with all the buzz about Salesforce.com, IBM, Google, Microsoft , Oracle, Amazon, Rackspace, Dell and others positioning themselves in the new clouds. A study by Cisco Systems (December 2010) projected that almost 12% of all enterprise workloads will run in the public cloud by the end of 2013, whilst the key opportunity for service providers is to differentiate themselves by providing cloud services. The study also highlighted that the key issues determining migration decisions revolve around perceptions by executives about security and control, data-centre overcapacity and scale, and the availability of skilled IT people.

Evidently, the cloud is exciting, with the potential to reduce capital costs and increase agility by divesting infrastructure and application management to concentrate on core competencies. But with new opportunities come new risks. In some cases, moving to the cloud allows re-design of older applications and infrastructure to meet or exceed modern security requirements. At other times, the risk of moving sensitive data and applications to an emerging infrastructure might exceed tolerance levels. As always, it’s all about risk management (more on this page 4).

Welcome!To the first edition of the Barclaycard Payment Security Newsletter

What is cloud computing?Here’s Barclaycard’s definition:

Cloud computing is the on demand provision and use of shared computing resources e.g. network infrastructure, server capacity, data storage and software to computers and other devices (similar to buying a utility resource like electricity).

It allows organisations to purchase resilient, flexible & scalable computing capacity to meet changing needs without worrying about having to deploy & manage this infrastructure themselves, where typically more infrastructure is deployed to manage demand peaks and resilience thus adding to their cost base. Capacity is bought in terms of computing power (e.g. CPU cycles and memory) or software services (e.g. applications).

We say: a new definition for an old concept.

In this issue

Olympics – are you prepared?............ .......….2

Top tips for success………………………… …….2-3

Securing mobile devices…………..……… ……….3

Technology SpotlightNavigating through the cloud…….……. ……….4

OWASP Top Ten…………………………….. ……….6

From the card schemes…………………… ……….7

Compliance Index by sector…………… ……….8

Upcoming events……………………………. ……….9

PCI DSS……………..……………………………. ……….9

From our partners…………………………… ..….....9

Resources……………………………………….. …..…10

Have your say…………………………………. ………12

I look forward to working with you all in 2011!

Neira Jones

Head of Payment Security

* as reported by UK Cards Association in March 2010.

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 2

Olympics 2012 – are you prepared?

With the construction of all the new main venues and infrastructure for the London 2012 Games well underway, preparations are on track, but are you prepared for 2012?

This may seem a strange question in a payment security newsletter, so let’s look at a few facts. On 18th October 2010, the UK Government published their National Security Strategy which placed "Hostile attacks upon UK Cyberspace by other states and large scale cyber crime" at the same level as International Terrorism, and International Military threats. In 2008, Beijing suffered 12 million cyber attacks per day during the Olympic Games. These games lasted for 16 days, the total number of attacks: 192 million. The number of internet users wasestimated at 1.9 billion users in June 2010*, up 23% since 2008.As the number of internet users increases we’re likely to see far higher attack statistics every year.

With about 500 days to go (and much less than that when we consider that ticketing, bookings and merchandising will start as early as March 2011), the organised crime community is certainlyvery busy. Organisations should start addressing their potentialrisks now, as well as advising their customers.

For those merchants out there still using non chip & PIN terminals, now is the time to update them… For those with online shops, see our top tips on the right and next page, and our white paper on “Processing Online Payments Securely”: http://www.barclaycard.co.uk/business/documents/pdfs/processing_online_card_payments.pdf

So you’re ready to answer any customer queries on fraud, take a look at the newly launched www.financialfraudaction.org.ukfrom Financial Fraud Action UK - the body which co-ordinates the financial services industry’s fraud prevention activity.

This new site covers a wide range of financial fraud issues and provides fraud prevention advice to will help you find what you need quickly and easily, including sections focused on consumers, retailers, police and media. Also, coming soon to thesite will be some interactive retailer training.

Spread the word!

*Source: Miniwatts Marketing Group, 2010

Barclaycard top tips for a successful PCI DSS journey

Prepare for change

1. Don’t treat PCI DSS as an IT project: it is a Change Programme and needs organisational commitment.

2. Train staff at all levels (there will be various degrees of training, and don’t forget Board and Exco) and embed an Information Security culture within your organisation early. (*)

3. Scope: Understand how card payments are currently processed (people, process and technology). Reduce the scope of the cardholder environment (the smaller, the easier)

4. There will be quick wins derived by reviewing and changing business processes and historical practicesthat require little investment. If you don’t need cardholder information, don’t have it…

5. Develop a gap analysis between current practices and what is necessary to become PCI DSS compliant. The gap analysis and cardholder data flow mapping is the most important step (and this should be refreshed periodically -once a year is advised).

* Note: see “resources” on the page 10 ifyou need help with this.

(continued next page)

Olympics 2012Cybercrime on the rise?

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 3

Securing mobile devices

On 31st December 2010, the BBC announced that mobile calls and texts made on any GSM network can be eavesdropped using four cheap mobile phones and open source software (http://www.bbc.co.uk/news/technology-12094227). On the same day, The Register* announced that mobile malware (dubbed Geinimi) is capable of stealing data from infected Android smartphones appeared in China. This Trojan, which usually poses as a gaming app, has been uploaded onto third-party Chinese Android app markets and sends, if installed, personal data to a remote server (specifically device identifiers, location information and list of installed applications) (http://www.theregister.co.uk/2010/12/31/china_android_trojan/)

But phones are not the only mobile devices around, and when looking at security you should equally consider:• Full-featured mobile phones with functionality similar to

personal computers, or “smartphones”• Laptops, netbooks, tablet computers and portable digital

assistants (PDAs)• Portable USB devices for storage (such as “thumb drives” and

MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards)

• Digital cameras• Radio frequency identification (RFID) and mobile RFID (M-RFID)

devices for data storage, identification and asset management• Infrared-enabled (IrDA) devices (printers, smart cards, etc.)

Many of these devices enable employees to be away from the office whilst having the convenience of all the office resourcesthrough phone, e-mail and text by using wireless networks, with many providing access to the Internet, company documents and drives, video/photographic and storage capability. So let’s not forget about security principles from the PCI DSS and focus on the following for all these devices: wireless network requirements, encryption of data at rest and in transit, authentication, anti-virus, etc. Of course, all of this must be underpinned by a sound information security policy for mobile devices and an effective staff awareness programme. Security in the mobile space is not just about mobile phones.

For additional resources related to mobile devices, please see www.isaca.org/mobiledevices

* http://www.theregister.co.uk/

Reduce Risk6. Remove sensitive authentication

data storage as a top most priority.

7. Prioritise Risk: once SAD storage is addressed, look at vulnerabilities in the Card Not Present environment (e-commerce and Mail Order/ Telephone Order). (This tip is for markets that have implemented EMV in their face-to-face channel).

8. Outsource to compliant third partieswhere possible: in the e-comm space, Level 1 PCI DSS compliant end-to-end e-comm Software as a Service (SaaS) is increasingly seen as a means of achieving compliance quicker & maximising RoI. And if not possible, tie down third parties (contractually). (*)

9. Assess suitability of and implement risk mitigation technologies (e.g. Verified by Visa, Secure Code, tokenisation, point-to-point encryption, etc.), whilst these are not PCI DSS requirements, they will improve security and reduce risk.

10.If Compensating Controls are required ensure that all parties are engaged to agree the controls before implementation (merchant, QSA, acquirers)

Finally, always work in partnership with your acquirer and your QSA.

Barclaycard top tips for a successful PCI DSS journey

(cont./.)

* Note: see “resources” on page 10 ifyou need help with this.

Mobile devicesHave you considered everything?

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 4

Maintaining a secure payments environment when the accepted boundaries of control and trust are changing

On 27th January 2011, I‘m looking forward to presenting at PCI London on this topic. For those who can’t make it, here’s a quick summary of my presentation, following on from the introduction on the first page of this newsletter.

The fact remains that Cloud Computing isn’t necessarily any more or any less secure than your current environment. But misconceptions are still abound, especially when it comes to security, and the limitations on cloud computing growth will include issues of data custody, control, security, privacy, jurisdiction and portability standards for data and code. Adopting Cloud Computing is a complex decision involving many factors as it may include not only desktop applications, e-mail, collaboration and enterprise resource planning but potentially any application. It’s therefore not surprising that enterprises are grappling with the dilemma of how to lose control gracefully whilst maintaining accountability when operational responsibilities for handling and securing their assets rests with one or more third parties

Cloud Implementation Considerations

There are many different cloud implementation considerations:

27th January 2011Victoria Park Plaza HotelLondon SW1V 1EQ

PCI London provides critical advice for senior decision makers on how to ensure information security compliance and implement payment security best practices in order to minimise complexity, reduce risk, create value, and keep costs low. Offering practical insights on how best to protect customers and payment data in a constantly changing business environment, this event is specifically designed to help meet the challenges of a rapidly evolving landscape.

PCI London is designed specifically for professionals who are responsible for managing key functions within global and national organisations that include banks, merchants and acquirers, such as information security, IT, risk, compliance, fraud, audit, QA, policy, and governance. This community meeting brings together an exclusive audience in order to discuss the most efficient and cost effective solutions for overcoming the key security and compliance challenges faced today.

For information and registration, please see

http://www.pci-portal.com/pci-london

Optimising security andcompliance programmesto reduce risk and deliverbusiness value

• Cloud deployment model - public vs. private deployments,

• Cloud location - internal vs. external hosting or combined,

• Cloud service models - Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), commonly referred to as SPI, as well as the emerging model of cloud service brokers.

Essentially, understanding the relationships between Cloud Service Models is fundamental to understanding Cloud Computing security risks. IaaS is the foundation of all cloud services, with PaaS building on IaaS, and SaaS in turn building on PaaS. The key consideration for a security architecture is that the lower down the stack the cloud service provider stops, the more organisations will be responsible for managing and implementing security for their assets.

Technology SpotlightNavigating through the Cloud

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 5

Cloud Computing: Managing Risk

Categorise

This means that organisations should adopt a risk-based approach to moving to the cloud and selecting security options i.e. what enterprise asset (data or applications/functions/processes) is being considered for a potential move to the cloud and how sensitive is that asset? The first step in determining a cloud migration “posture” is to categorise and evaluate the asset for confidentiality, integrity and availability and how these will be affected if the asset is handled in the cloud. When it comes to cardholder information related assets (either cardholder data or payment applications), the process is the same, and the PCI DSS standard fits neatly with the security control model to be applied to a cloud model.

Asset Risk Classification

Once an understanding of the asset’s importance is gained, the organisation should determine which risks will be acceptable to their security posture in the various deployment models (private, public, community, or hybrid) and hosting locations (internal, external, or combined). This step enables the organisation to map its security and risk requirements for the asset depending on how (deployment models) and where (locations) the services will be deployed.

Control & Risk Management

Once the asset has been classified and risk appetite ascertained for cloud deployment and location, the next step will be to focus on the degree of control and risk management the organisation will have for each of the cloud service models. This is because, whilst the risk assessment depends on the “where”and “how” of the assets described in the previous paragraph, it also depends on the following:• The types of assets being managed• Who manages them and how• Which controls are selected and why• What compliance issues need to be considered

This will be a challenging undertaking, as organisations will need to ask cloud services providers to disclose their security controls and how they are implemented to the “consuming” organisation, and “consuming” organisations will need to know which controls are needed to maintain the security of their information. Lack of thoroughness and transparency at this stage can lead to detrimental outcomes.

Cloud Architecture & Security

It is critical that a cloud service is classified against the cloud architecture model, then against the security architecture, and then against the business, regulatory and other compliance requirements (which essentially amounts to a gap analysis). In SaaS environments, the security controls and their scope are negotiated in the service contracts (SLAs, privacy, compliance, etc.). In and IaaS offering, the provider will be responsible for securing the underlying infrastructure and abstraction layers, the consuming organisation will be responsible for the security of the remainder for the stack. PaaS service providers will be responsible for the security of the platform, whilst the “consuming” organisations will be responsible for securing the applications developed against the platform as well as developing them securely (e.g. OWASP Top 10 – see next page).

Data Flow Mapping

When evaluating specific deployment options, organisations should map out the data flow between all consumers and providers (e.g. the organisation, the cloud service, customers, other nodes, etc.). Before making a final decision, it is essential to understand whether, and how, data can move in and out of the cloud in order to identify risk exposure points.

And finally…

By following a risk-based approach, organisations will understand the importance of what they are considering moving to the cloud, their risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable. They will also have a rough idea of potential exposure points for sensitive information and operations.

I recommend the following two papers from the Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing v2.1 (December 2009) and Top Threats to Cloud Computing v1.0 (March 2010) for their detailed analysis on which this article is based.

http://www.cloudsecurityalliance.org/Research.html

The SPI Model

Risk mitigation should be considered for each of the SPI tiers (SaaS, PaaS, IaaS) as well as compliance and regulatory requirements (e.g. PCI DSS, FSA, SOX, etc.). At this stage, organisations will evaluate and assess the risk for potential cloud service models and providers.

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 6

Web application security risksOWASP Top 10

Insecure software is already undermining our financial, retail, defence, energy and other critical infrastructure. As our digital infrastructure becomes interconnected and increasingly complex, the difficulty of achieving web application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.

The Top 10 project is referenced by many standards, books, tools, and organizations, including PCI DSS. The OWASP Top 10 was first released in 2003, with minor updates released in 2004 and 2007. The 2010 release marks this project’s eighth year of raising awareness of the importance of application security risks.

Barclaycard encourages its customers and partners to use the Top 10 to get started with web application security. Developers can learn from the mistakes of other organisations. Executives should start thinking about how to manage the risk that softwareapplications create in their enterprise. The 2010 Top 10 web application security risks are listed below:

The Open Web Application Security Project

The OWASP Top 10 provides a powerful awareness document for web application security. It represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

We urge all companies to adopt this awareness document and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within an organisation into one that produces secure code.

Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!!

As you do this, please emphasize:

For the 2010 release of the OWASP top 10:

http://www.owasp.org/index.php/Top_10

OWASP

It’s all about risk

The 2010 Top 10 Application Security Risks and their associated risk factors were determined based on the available statistics and the experience of the OWASP team. To understand these risks for a particular application or organisation, you must consider your own specific threat agents and business impacts.

• A1 Injection• A2 Cross-Site Scripting (XSS)• A3 Broken Authentication and Session Management• A4 Insecure Direct Object References• A5 Cross-Site Request Forgery (CSRF)• A6 Security Misconfiguration (new in 2010)• A7 Insecure Cryptographic Storage• A8 Failure to Restrict URL Access• A9 Insufficient Transport Layer Protection• A10 Unvalidated Redirects and Forwards (new in 2010)

• OWASP is reaching out to developers, not just the application security community

• The Top 10 is about managing risk, not just avoiding vulnerabilities

Web application securityManaging risks and developing secure web applications

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 7

Visa Europe31st December 2012: Pre PCI-PEDsAll pre PCI PEDs earlier than PCI PED version 1.x must be replaced with Visa approved devices by 31st December 2012.Please note that PCI PED 1.x approved devices will expire on 30th

April 2014 and PCI PED 2.x will expire on 30th April 2017 (expiry means that no new deployment of the devices are allowed but like for like replacement is tolerated). Please check the PCI SSC site for your devices athttps://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php

31st December 2012: Payment applications and PA DSSAcquirers must ensure merchants using payment applications that do not store sensitive data authentication must either be fully PCI DSS compliant or using a PA DSS compliant application.For a list of validated PA-DSS applications please see https://www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php

Risk mitigation

3D Secure…

To improve your fraud to sales ratio in the e-commerce space, think about authentication through 3D Secure.

As at September 2010, Verified by Visa (VbV) penetration in the UK was 53.3% and 90% of the UK VbV volume was fully authenticated. This reduced the fraud to sales ratio on fully authenticated transaction to 0.08%, compared to 0.25% for non VbV traffic.

Don’t forget that VbV protects merchants against cardholders denying making the purchase: all fully authenticated transactions benefit from the global liability shift and all merchant ‘attempted’ transactions benefit from the global liability shift, except Inter-Regional Commercial card transactions.

The maths are clear!

• Level 1 merchants choosing to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend the PCI SSC ISA training and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors.

• Level 2 merchants choosing to complete an annual Self-assessment Questionnaire (SAQ) must ensure that staff engaged in the self-assessment attend the PCI SSC ISA training and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.

What’s on the horizonWith cybercrime on the rise, you will not be surprised that the card schemes (and Barclaycard) will be focusing even more on reducing risk in the e-commerce space. Consequently, risk prioritisation & management remains on the agenda. Also expect some relaxation in the face-to-face channels for organisations that have deployed EMV terminals (aka Chip & PIN)…

From the card schemesWhat you should know

MasterCard30th June 2011: PCI Annual onsite assessment and ISA training

(Please see page 9 for ISA training dates)

Don’t forget

That payment applications that store (or cause to be stored) sensitive authentication data are not allowed.

When integrating payment applications in your infrastructure, always check PA-DSS compliance.

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 8

PCI DSSRecap

Round up 2010

As you’ll know by now, the PCI SSC released version 2.0 of both the PCI DSS and PA-DSS. Notably, the lifecycle has now been increased from 2 years to 3 years, which in our opinion denotes maturity. The theme for the new release was really clarificationrather than drastic change and this was welcomed by the industry. Also of particular note, the PCI SSC re-launched their website (https://www.pcisecuritystandards.org/), and it is now much clearer and easier to navigate. The sub-site for small merchants was particularly welcome! Check it out at https://www.pcisecuritystandards.org/smb/

And again, it’s all about risk…

Undeniably, 2010 was also the year of risk prioritisation and this was evident at the PCI SSC community meetings and subsequent Card Scheme communications. Barclaycard has always been a proponent of risk prioritisation. Evidently, PCI DSS compliance does not equal security, which is why organisations should identify their vulnerabilities and their impact to their assets. With the increase in cybercrime, Card-Not-Present risks (e-commerce and MOTO) should be at the forefront of a security agenda. When the PCI SSC launched the risk-based approach in March 2009, with its reclassification of the PCI DSS requirements into 6 milestones, Barclaycard embraced it and developed supporting tools to help its customers. Now that this approach has been in operation for a while, we can see many ways of improving it. First of all, the SSC risk-based approach puts most of requirement 12 in milestone 6 (therefore at the end of a programme). We firmly believe that all activities related to information security policies should start at the beginning of achange programme (which PCI DSS should be).

In addition to this, the SSC approach is a static one inasmuch as it gives a snapshot in time of the status of any given requirement. What is now needed, as the standard reaches maturity (exemplified in v2.0), is a dynamic approach enabling the controls to be managed in real time by the persons directly responsible for them. Furthermore, we believe that the security posture of any given organisation should not be just about PCI DSS, but also Data Protection and other security requirements to help reduce risk (for example use of 3D Secure). A toolset that would enable organisations to understand the key risks whilst identifying non-compliant areas and monitoring progress can only streamline the process of moving a change programme into business as usual. We fully support this and will work with the PCI SSC and card schemes this year to further this approach.

The compliance index

Did you know?...

From an analysis of our corporate and mid-tier portfolio, we can confirm that PCI DSS compliance is certainly moving the right way. As at January 2011, below is the shape of compliance by sector, so organisations can position themselves against their peers:

SECTOR PCI Compliance

Change vs 11/ 2010

50%

50%

46%

44%

37%

34%

22%

20%

=

↑↑

↓

↑

↓

=

↑↑

↓

Hotels

Gaming

Insurance

Retail

University

Restaurants/ Pubs

Public sector

Airlines

Breach Statistics• Cybercrime affects all industries: top

of the cost spectrum is information loss (42%) . (*)

• 73% of attacks are of simple or average sophistication (default or shared credentials, SQL injections). (*)

• 49% of CEOs are very confident or confident that their organisation will not suffer a data breach within the next year. (*)

* see “Resources” on page 10

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 9

Q1 201127th January: PCI London (see page 4 inset)6th February: European Card Acquiring Forum, Berlin, GermanyAs proud winners of two ECAF awards in 2010 for Data Security (PCI DSS) and Channel (for contactless technology), Barclaycard is hoping that this year’s conference will be as successful! http://www.europeancardacquiring.com/16th-17th February: PCI SSC ISA Training, San Francisco, USA.9th-10th March: PCI SSC ISA Training, London, England.We advise L1-2 merchants to consider this training, especially in view of the MasterCard mandate.https://www.pcisecuritystandards.org/training/training_calendar.php1st-2nd March: Technology for Marketing & Advertising, LondonBarclaycard will be presenting at this eventhttp://www.t-f-m.co.uk11th March 2011: PCI SSC – PCI Awareness Training, London, England. Please note, this is not the ISA training.https://www.pcisecuritystandards.org/training/non_certification_training.php#schedule29th March: Safe & Sound Barclaycard/ IRM Quarterly event, London. “How compliant do you want to be?” Details TBC

Q2 20117th April: Barclaycard/ 7Safe quarterly event, London.19th-21st April: Infosecurity Europe 2011, LondonBarclaycard will be presenting at this event.http://www.infosec.co.uk/page.cfm/Link=687TBC April: Barclaycard webinar for hotels (PCI and DCC)28th May: Barclaycard Restaurants & Hotels Customer Forum, London, Vinopolis23rd June: SC Magazine's Mobile Device Management conference, London. Barclaycard will be presenting at this event.http://haymarketevents.com/conferenceDetail/53628th June: Safe & Sound Barclaycard/ IRM Quarterly event, London. Details TBCTBC June: Barclaycard Financial Services Customer Forum, London,

Q3 2011TBC July: Barclaycard Retail Forum7th July: Barclaycard/ 7Safe quarterly event, London. Details TBC13th September: Safe & Sound Barclaycard/ IRM Quarterly event, London. Details TBC.

From our partners

Semafone

We are pleased to announce that Semafone (Product of the Year at the Call Centre Awards 2010) have gained PA-DSS accreditation from the PCI SSC. They will be listed imminently. For more information about Semafone, please see

Upcoming eventsWhat’s happening in 2011

http://www.semafone.com/

Worried about PCI DSS and call recordings?Please see our white paper at http://www.barclaycard.co.uk/business/documents/pdfs/processing_telephone_payments.pdf

The Logic Group

Despite severe weather conditions at the end of November 2010 The Logic Group Secure Payment Forum events in London and Birmingham went ahead to demonstrate new solutions including point-to-point encryption and tokenisation to help merchants increase their security. For information on future events and downloads of previous presentations, please see http://www.the-logic-group.co.uk/Events/

When assessing encryption solutions, please see the Visa guidelines at http://www.visaeurope.com/en/businesses__retailers/payment_security/idoc.ashx?docid=a06621cc-9666-4ccd-9045-ecec84c7a94c&version=-1

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 10

ResourcesWhere to find more information

Training your staff

We have been asked many times to provide some guidance on how PCI DSS training should be approached (see top tips on page 2-3). For large organisations, this may pose a challenge. Layered approaches are usually the best, starting for the Board and C Level executives (Financials, RoI, Risk Management, Governance), Middle Management (what it means to them). Then you need to have generic staff training, which is generally bestdeployed through computer based training with a yearly assessment (this allows you to reach the whole organisation). There will also need to be specific training for staff coming into contact with cardholder information. Barclaycard have produced a PowerPoint pack that businesses can customise for their own purposes. If you’d like a copy, please email PCIDSS.Guide@barclaycard.co.uk

Where to find PCI DSS compliant L1 Service providers

Visa Europe:http://www.visaeurope.com/en/businesses__retailers/payment_security/idoc.ashx?docid=722c1918-ee68-4283-a701-6b473c2c1cdd&version=-1

MasterCard:http://www.mastercard.com/us/sdp/serviceproviders/compliant_serviceprovider.html

Do you need help with PCI DSS contractual clauses?

In our top tips on page 3, we advise businesses to make PCI DSS contractual provisions with their third parties (PCI DSS requirement 12.8.2). If you would like a copy of our 3 page sample contract addendum, please email PCIDSS.Guide@barclaycard.co.uk

Risk Matrix for e-commerce deploymentsTop tip number 8 on page 3 mentions SaaS. If you’d like to see the risk scoring matrix of the different types of deployment forpayment pages, please see our white paper: http://www.barclaycard.co.uk/business/documents/pdfs/processing_online_card_payments.pdf

More on breach statistics

• Business Case for Data Protection, 03/10• 2010 Global Cost of a Data Breach, 04/10• First Annual Cost of Cybercrime Study,

07/10

For more information from the inset on page 8, please see the following reports:

From the Ponemon Institute at http://www.ponemon.org/data-security

Creating a secure culture

It is imperative that organisations understand the need to instil a security culture from top to bottom, and that payment security is not just an IT issue or ‘tick box’ exercise. Training is a vital aspect in achieving and maintaining the necessary changes in thinking and behaviours that are required for any successful payment security programme.

From 7Safe at http://www.7safe.com/breach_report/

• UK Security Breach Investigations Report 2010

Get involvedTo contribute to the development of the PCI standards, we recommend you become a participating organisation (PO) with the PCI SSC. POs will be able to contribute toSpecial Interest Groups (SIGs):

• Pre-authorisation• Scoping (incl. Encryption, Tokenisation,

Scoping & EMV) – chaired by Barclaycard.• Virtualisation• WirelessTo join a SIG or propose a new SIG, please contact sigs@pcisecuritystandards.org or see https://www.pcisecuritystandards.org/organization_info/special_interest_groups.php

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 11

E-commerce solutions from Barclaycard

• Fraud attack identification to stop goods & services being dispatched to fraudsters in near real time.

• Advance notice of potential chargebacks giving more time to investigate and prepare a defence.

• And more useful analysis tools to give you increased visibility into fraud attacks…

For more information please contact Dave Moore at david.moore@barclaycard.co.uk

Terminal newsBarclaycard’s payment page for SMEs ePDQ has remained PCI DSS compliant since 2007. Our new offering, SmartPay launched in November 2010 for large corporate and multi-national organisations is also PCI DSS compliant.

For more information, please seehttp://www.barclaycard.co.uk/business/accepting-payments/epdq-cpi/

and http://www.barclaycard.com/smartpay

Introducing Fraud ReporterFor online and face-to-face payments Barclaycard can provide you with daily reports, confirming fraudulent transactions, as reported by Visa and MasterCard in the last 24 hours. We can also provide you with sector and UK fraud intelligence. Key features include:

Mobile terminals on the movePlanning to sell at a trade fair, festival or sales events? Worried about having to handle lots of cash or not being able to accept payments from customers only carrying cards? With a mobile Chip and PIN device from 123 Hire, you’ll be able to accept card payments for a short time away from business premises & maximise your sales.

To hire a mobile Chip & PIN device, Barclaycard customers can call 123 HIRE on 0800 074 1123 or e-mail barclaycard@123hire.net

Advertising on terminal till rolls

Barclaycard customers now have the opportunity to advertise their business on the reverse of terminal till rolls. This service is provided by UK Paper Rolls, Barclaycard’s approved supplier.

One colour branding is free and details of this service can be obtained by calling UK Paper Rolls on 0844 822 2044 or at www.pdqconsumables.com

Meet the teamThey help you through your compliance journey with payment security advice, meet the Barclaycard Payment Security team:

Barclaycard customers can email them at PCI.TaskForce@barclaycard.co.uk

Payment Security Newsletter – Issue 1 – January 2011

payment acceptance

leading the way in secure payments

Page 12

Have your say

What did you think?

We would like this newsletter to be as relevant and topical as possible, and for this we need your help!

Please give us your thoughts on what you liked and what you didn’t like and how we can improve, and if the structure works.

What would you like to hear about?

We have a lot of topics we would like to talk to you about in the next edition, these include:

Quote of the day…

Last words…

And finally…

All that remains for me to say is that I hope you enjoyed our newsletter and found it of some use. Please let us know what you think about it, either by emailing

• More on cloud computing and perhaps go a bit deeper on SaaS implementations in real life

• More on risk prioritisation tools• Governance, Risk and Controls (GRC)• SIEM (Security Information and Event Management)• Encryption and tokenisation

PCIDSS.Guide@barclaycard.co.uk or me directly at neira.jones@barclaycard.co.uk

Wishing you a Happy and Secure 2011!

Neira Jones

Barclaycard | Global Payment Acceptance 1234 Pavilion Drive | Northampton | NN4 7SG http://www.barclaycard.co.uk/pcidssTelephone +44 (0)1604 252651

Security isn’t something that you buy; it’s something that you do.

Please let us know if you have particular areas of interest which you would like to see covered.

PCI SSC Board of AdvisorsWe need your ballot!Now that the current PCI SSC Board of Advisors has been in operation for two years, the PCI SSC will soon be starting the election process for its new BoA.

Barclaycard has been a member of the BoA for the past two years and in that short period of time, we have been able to represent our customers and pursue some important issues directly with the SSC.

It is Barclaycard’s intention to stand for re-election in 2011 and we ask our customers and partners to vote for us! The elections are not yet open, but we will communicate the schedule in due course.

We hope we can count on your vote!

New chair of PCI SSCThe Council announced the appointment of its new chairperson. Eduardo Perez, head of global payment system security, Visa, Inc., will succeed Bruce Rutherford of MasterCard Worldwide in this leadership position in 2011.

As chairperson, Eduardo will work with the Council's Board of Advisors, Participating Organisations, assessor community and merchants globally to increase awareness and education around the PCI Security Standards, as well as to promote the importance of protecting cardholder data.