nuBLOG

RSA Conference 2010 – No place to sit? No Problem.

nuBridges Blog — Wed, 03 Mar 2010 11:08:15 -0500

If you’ve ever been to a large conference, you know how difficult it can be to find a spot to sit down, talk and conduct business – with the press and analysts, for instance.

nuBridges solved that problem with “nuBridges Press Suite in a Box!” With a table for four from our customer, Cabela’s, and a little nuBridges branding, we’re never without a place to sit and visit with media, analysts, prospects and customers. No more wasting precious time looking for a place to sit!

The annual RSA Conference is held at the Moscone Center in San Francisco every year and the Starbuck’s across the street is a favorite meeting place. But it fills up quickly. For nuBridges, that’s not a problem. We travel with “nuBridges Press Suite in a Box!”

Simply find a nice spot within the restaurant, especially when it’s raining like it has been this week, and off you go.

If you’re at the RSA Conference this week or attending another conference in the near future where nuBridges is, like InfoSec Europe, stop on by and we’ll find a nice place to sit with “nuBridges Press Suite in a Box!”

Until next time,

Gary

Call centers and PCI DSS compliance. Let the purging begin!

nuBridges Blog — Fri, 26 Feb 2010 11:31:21 -0500

Gary Palgon
Vice President, Product Management
nuBridges

Yes, indeed. Just six weeks into the year, and the Payment Card Industry Security Standards Council (PCI SSC) has issued three clarifications regarding the storage of cardholder data on digital audio recordings. Now the PCI SSC has formally clarified that storing payment card data in digital call records is forbidden.

The issue is recordings that include card security codes –CAV2, CVC2, CVV2 or CID codes by the payment card brands. On January 22 the PCI SSC issued a revised FAQ on call center recordings.

Digital audio recordings have always been in PCI DSS scope, but if they weren’t searchable you could still store the security codes. But don’t just rely on that because they have already changed that policy since then. Evan Schuman reported in StorefrontBackTalk on February 18th that they added the phrase, “if that data can be queried;” however, there is still confusion as to what that actually means.

So, what does this mean for your call center? You need to purge all your existing digital voice recordings of security codes, discontinue storing these codes on all new recordings and encrypt any recordings that maintain the PAN.

As always, keep checking back with the PCI SSC web site for updates. Are you finding this easy or difficult to accomplish and why?

Until next time,

Gary

3 days ‘til HITECH penalties enforced

nuBridges Blog — Fri, 19 Feb 2010 16:44:28 -0500

Kyle Parris
Director of Product Management
nuBridges

That’s right. February 22, 2010 is the date when monetary penalties can be imposed if unsecured Protected Health Information (PHI) is breached. Under the Health Information Technology for Clinical and Economic Health (HITECH) Act, PHI in the form of electronic data is considered unsecured unless it is encrypted or destroyed.

NIST-compliant encryption is mandated by the act’s related Health and Human Services (HHS) breach notification regulations. If your health care organization doesn’t encrypt PHI today, is it on your “to do” list?

It’s never too late to avoid the prospect of hefty sanctions. I’d like to recommend a white paper that nuBridges recently published http://nubridges.com/resource-center/whitepapers/best-practices-enterprise-mft/ to help you analyze the different managed file transfers that are available to securely and reliably transmit electronic PHI.

To your health,

Kyle

Don’t forget about scanned images for PCI DSS compliance

nuBridges Blog — Tue, 16 Feb 2010 08:41:23 -0500

Gary Palgon
Vice President, Product Management
nuBridges

The Payment Card Industry’s Security Standards Council issued a clarification about audio recordings on January 22, 2010 noting that card validation codes and values must not be stored under usual circumstances to be considered PCI DSS compliant. PANs in the recording, of course, must be encrypted following the current standards as well.

Much like audio recordings, scanned images that contain the PAN and card validation codes must be addressed as well.
Requirement 3.3 specifically states that “displays of PAN (for example, on screen, on paper receipts) … are masked when displayed ...”
Requirement 9.6 notes: “Physically secure all paper and electronic media that contain cardholder data.”
Like the audio recordings, track data should not be stored based on Requirement 3.2 : “Do not store sensitive authentication data after authorization (even if encrypted).”
Images containing credit cards will need to be encrypted as required by Requirement 3.4: “Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs).”

Don’t be caught off guard as you make your way though a PCI DSS compliance audit – trace all input sources of credit cards and follow the card “information supply chain” to make sure you’ve addressed all occurrences of this sensitive data.

Are there any other areas of input that you’ve seen frequently missed during audits?

Regards,
Gary

PS... If you have not already registered, I am co-presenter for live webinar being held February 24, 2010 at 2pm EST. Brian Grafsgaard of QBS and I will discuss "Applying PCI Best Practices to Protect PII" Click here to register: https://www1.gotomeeting.com/register/314351497

What will DLP do when we live in a tokenized world? That’s today’s conundrum.

nuBridges Blog — Mon, 08 Feb 2010 14:38:05 -0500

Gary Palgon
Vice President, Product Management
nuBridges

Data Loss Protection or Data Leak Prevention (DLP) applications are often used to discover credit card and other personally identifiable information in enterprises. If you don’t know where sensitive data exists, how can you protect it?

Imagine this. Your company has migrated to a security model where tokens, or surrogate values, are spread throughout the enterprise instead of the actual values, say for actual credit cards. If the tokens are format-preserving and therefore resemble credit cards but are actually tokens, how will the DLP systems know that they are tokens and not sensitive data?

While the latest indications on the next PCI DSS standard will only have minor changes in it (see No major PCI DSS revision expected in 2010), Walt Conway pointed out in StorefrontBacktalk that there’s a real possibility that the PCI DSS standard may eventually will mandate automated cardholder data discovery.

We better get creative quickly to solve this one! Any ideas?
Until next time,

Gary

HITECH Act Enforcement and Heightened Regulation Begins February 18th

nuBridges Blog — Tue, 26 Jan 2010 13:52:21 -0500

Kyle Parris
Director of Product Management
nuBridges

By extending HIPAA (Health Insurance Portability and Accountability Act) rules for secure transfer of protected health information (PHI), the 2009 HITECH ( Health Information Technology for Economic and Clinical Health) Act mandates that health care providers enforce encryption and audit controls over all business processes involved with data transfers. The provisions with the most significant impact for health care organizations are the mandatory breach notification requirements, combined with a new, punitive enforcement scheme. The risks for penalties, fines, brand damage and loss of business are great. So, what does that mean when it comes to the risk to your health care organization? It means that your organization can be heavily fined for data breaches. And you, your employees and business partners are even subject to criminal penalties.

What’s your best option for ensuring that you, your employees and business associates are in compliance with the spirit and letter of HITECH? The simple answer is secure all PHI according to HHS (Health and Human Services) guidelines. Make certain that all electronic PHI is encrypted. For PHI that is in transit within or outside your organization that means employing a Managed File Transfer solution that meets best practices for data encryption.

Are you ready for February 18th?

Until next time,
Kyle

Conundrum – My company wants me to share more data and at the same time secure more data!

nuBridges Blog — Wed, 20 Jan 2010 08:34:45 -0500

Gary Palgon
Vice President, Product Management
nuBridges

CIOs everywhere are being told by the business that they need to share more data, both internally and with business partners. And then they are being told to secure more data to limit its use to only authorized users.

Retailers, like many other industries, have been battling this during the past few years as they strive to comply with the PCI Data Security Standard to protect credit card information but the battle is only getting more complex. Key to many organizations is their customer information, often part of loyalty and/or credit programs which require them to store for future use information considered to be personally identifiable information or PII.

In a recent article by Walt Conway about what he heard at last week’s National Retail Federation (NRF) conference, he noted “While in New York, I heard a lot of CIOs talk about balancing the pressure to open systems and databases to more internal users with the need to protect the data. This balancing act will get more interesting as the volume of customer data expands.” This is exactly the dilemma I hear all of the time.

And while that’s from a retail perspective, it’s no different in Healthcare. Look at the US Health Information Technology for Economic and Clinical Health Act (HITECH) which as part of the American Recovery and Reinvestment Act (ARRA) has a goal to implement electronic medical records (EMR), secure protected health information (PHI) and share patient data security through out the ‘medical supply chain’. Once again, the theme mirrors that above, share the electronic data but also secure it.

There are no silver bullet answers here, but it is important to take a strategic look at how PCI, PII and PHI is created, used, shared, archived and destroyed in order to properly ensure it is only used by authorized individuals, secure at all times and destroyed when it is no longer needed.

What are the challenges related to locking down data and sharing more data in your organization?

Until next time,

Gary

PS...Later this week, nuBridges is releasing a new White Paper, "The Power of Integrated Protection." This White Paper explores the emerging issues that are driving enterprises to seek an enterprise-class encryption, tokenization, key management and compliance solution to protect sensitive PCI, PII and PHI data. I am offering early access to my loyal blog readers. Click here to download the new White Paper, "The Power of Integrated Protection."

Will Federal Legislation Eliminate Complicated Data Breach Notification Legal Patchwork?

nuBridges Blog — Mon, 14 Dec 2009 11:14:10 -0500

Gary Palgon
Vice President, Product Management
nuBridges

We’ve had a close eye on D.C., as two retooled data breach notification bills have been wending their way through Congress. While we had our eye off the ball recently (guess we were lulled into thinking this newest round of legislation would go the way of the past several bills), on December 9th the House of Representatives passed, for the first time ever, a data breach notification bill. While that’s great news, we’re wondering that if the bill makes it through the Senate and becomes the law of the land, will it replace the patchwork of state laws – 45 as of today – that exist? Right now, breach alert mandates are handled at the state level. Will this legislation rationalize data protection legislation across the US? Doubtful, but more realistically it will provide a consistent baseline from which states, and companies looking to comply with data protection notification laws, can use as a starting point.

The Data Accountability and Trust Act (DATA) will indeed standardize data protection across the US at a Federal level. It requires companies, defined as data brokers, that hold sensitive personal information – everything from Social Security numbers to driver’s license numbers to credit card information -- to secure that data and provide notice to affected consumers that their data has been compromised. What’s more, the bill allows consumers to have access to files about them and request that errors be corrected.

The bill directs the Federal Trade Commission (FTC) to create rules for destroying obsolete non-electronic data in addition to requiring data brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request. If a breach does occur, the FTC is ordered to conduct a security audit of the data broker.

As with many state laws, the DATA has a safe harbor provision. According to the legislation, data encryption establishes a presumption that no reasonable risk of identity theft, fraud or other unlawful conduct exists following a data breach. Here’s the actual language of the legislation relating to data encryption:

“…Encryption – The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been, or is reasonably likely to be compromised…”

It’s not great news that it takes Federal legislation to push companies along to protect consumer data in the first place, but I’m hopeful that a Federal law will lead to making data protection easier for all of us – what do you think?

Best wishes for a happy holiday,
Gary

PS...nuBridges can help you take advantage of “safe harbors” and minimize the risk of a breach. nuBridges Protect™ is an integrated encryption, tokenization, key management and audit logging solution that is already proven in business-critical production environments – for example, it encrypts billions of credit card numbers every day around the world.