|
QuickBooks stores Credit Card numbers. This is bad news for small merchants. Meaning a typical small business will have it's entire network in scope for PCI compliance. QuickBooks has a guide (finally) for setting up QuickBooks for PCI compliance.
The problem most merchants will have is deploying QuickBooks for PCI compliance, it is not enough for them to use a validated payment applications. Small merchants will need to segment their networks or all systems on that network will be in scope.
What merchants using QuickBooks to process credit cards need to do? 1) Follow the guidelines for configuring QuickBooks outlined by Intuit. 2) Only upgrade QuickBooks to versions that are on the validated payment application list. 3) Get help if you need it.
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
|
Here is a question emailed to me followed by my response.
Dear Mr. Hester,
I was informed by CSMFO that you might be an excellent resource in regards to the Payment Card Industry compliance. It is my understanding that this standard as well as the federal Fair and Accurate Credit Transactions Act might be applicable to local governments.
Mr. X,
There is often confusion concerning Payment Card Industry and the FACTA Red Flag Rule and whether or not local governments must comply. The short answer is they do apply.
As you may already know, PCI is a requirement from the payment card brands and is not a government regulation. PCI compliance is required for all organizations who process credit card transactions. This is true even if the credit card processing is outsourced or completely paper based. Non-compliance can result in fines, liability for cardholder and bank loses, and the City may no longer be able to take credit card transactions. The goal of PCI’s Data Security Standard (PCI DSS) is to protect credit card account information. We have a number of resources available to you regarding PCI compliance. Please refer to our website at:
http://www.mazeassociates.com/resources/category/1-pci
The ‘Red Flag Rule’ which is part of Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires “creditors” to implement an identity theft prevention program for “covered accounts”. Government agencies may be considered “creditors” if they have, for example, regular utility bills for customers. A “covered account” is any account that allows for multiple payments or transactions or an account with a reasonably foreseeable risk of identity theft. This rule does not distinguish among accounts that pay with credit cards, cash or checks; it has to do with the prevention of identity theft in general. You will need to look at your current accounts to see if they fall under the definition of a "covered account". If they do, you will need to set up an identity theft prevention program.
In April of this year, the Federal Trade Commission announced they would grant a three month extension before enforcing the Red Flag Rule. In other words, enforcement will begin on August 1, 2009.
We recommend to all of our municipal clients to implement National Institute of Standards and Technology (NIST) information technology (IT) security standards. We recommend adopting NIST standards because 1) they are recommended for state, local and tribal governments; 2) it demonstrates due diligence; 3) it focuses on protecting the City’s information and technology and 4) it is foundational for PCI and Red Flag Rule compliance. NIST not only focuses on protecting the City’s information and technology but it covers many of the requirements of PCI and the Red Flag Rule, which focuses on consumer protection. Please refer to our white paper on Information Technology Standards and Practices for Local Governments located at:
http://www.mazeassociates.com/resources/category/2-it-security.
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
|
On June 3, 2009 NIST SP 800-53 Rev.3 'Recommended Security Controls for Federal Information Systems and Organizations' Final Public Draft was released. This will be a historic document as it will become the most comprehensive control catalog available to date. They have taken the controls used for federal agencies and added the controls used for national security. In addition NIST was working to establish specific mappings and relationships between the security standards and guidelines developed by NIST and the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001.
"The public draft of Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems. The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems." NIST SP 800-53 Rev3 Final Public Draft
Additional noteworthy changes:
A new Risk Management framework is introduced with the intent to create an enterprise-wide, near real-time risk management framework.
A new control family has been added. Program management under the Management class of controls. Program Management class provides controls for information security programs.
You can check the draft out and make comments until June 30. ETA on final release is July 31, 2009.
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Rev.%203
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
|
|
|
|
<< Start < Prev 1 2 3 4 Next > End >>
|
|
Page 2 of 4 |
Subscribe to LearnSecurity Blog using your favorite feed reader by 
