LONDON, 26 April 2010 – Commidea, the leading card payment processing solution provider, and Foregenix, an independent, specialised information security business, call upon retailers, e-commerce merchants and banks to reduce the risk of card holder data breaches by taking a number of steps underpinned by the Payment Card Industry Data Security Standard (PCI DSS) framework. 

Attacks against the payment card industry and retailers continue to increase in sophistication, with the use of malware and automation becoming more prevalent. The top five cardholder data attacks are SQL injection, unauthorised access through default or shared credentials, malware, third parties or trusted access and perimeter security issues such as firewalls.

“Over 90% of the businesses that our team have investigated during the last five years were unaware of which sensitive, or in some cases prohibited, data was present on their network,” said Benjamin Hosack, director, Foregenix. “This is a worrying statistic, but with the right tools in place unprotected cardholder data can easily be identified and protected or securely deleted.”

Top tips for protecting against data attacks:

1. Identify where account data is stored within your network. Use a forensically sound Account Data Discovery toolwhich regularly identifies unprotected cardholder data.
2. Strive to achieve and maintain an account data ‘sterile’ environment by removing sensitive cardholder data.
3. Regularly scan external and internal networks for vulnerabilities. PCI DSS requires a minimum of quarterly scanning, although you are recommended to undertake this at least on a monthly basis. Organisations should also monitor www.owasp.org to understand what new threats are being identified and therefore need to be addressed within their own businesses.
4. Deploy and maintain strong end-point protection, including anti-virus, host-based intrusion detection security, intrusion prevention systems and log monitoring.
5. Restrict access to your network and log activity on all systems handling card holder data.
6. Ensure that all third parties, such as payment processing vendors, are fully PCI DSS compliant and maintain strong levels of security before they gain access to your business critical systems.
7. Manage and review your network infrastructure, such as routers, switches and firewalls on a regular basis. Passwords need to be changed regularly and should be unique to that user or system.
8. Protect your cardholder data.  Where possible, it is recommended to deploy end-to-end encryption to protect the cardholder data from the moment it enters your business network.  There are various solutionsavailable which do not give the merchant the ability to decrypt the data, which is a key factor in reducing the scope of PCI DSS within a business.
9. Become PCI DSS compliant and maintain your compliance levels. View PCI DSS as an ongoing enterprise activity that involves people and processes as well as technology.  Even when you think you have covered off as much as possible of the standard, you are only as secure as the next system software or hardware upgrade, human error or yet to be discovered security hole.

“There is no ‘silver bullet’ for cardholder data protection. It requires constant scrutiny and a collaborative effort between the merchant, bank and the solution provider. But adhering to a few basic disciplines can greatly reduce your risk of a data breach.” said Ian Rutland, Marketing and Communication Director for Commidea. “The alternative, a data breach, damaged reputation and a substantial fine, is much less appealing and we would encourage all businesses handling sensitive cardholder data to follow these simple guidelines.”

- ends -

Notes to Editors

About Commidea and Point International

Commidea is part of the Point International Group of companies.  Point is the leading European provider of electronic payment solutions and supports over 300,000 customers in the Nordic, Baltics and the UK through the provision of innovative and secure card payment solutions.  Every day more than 7 million secure card transactions are handled through Point solutions. The Group manage more than 400.000 payment devices and customers range from large high street retail names to small independents, award winning e-commerce sites and many leading mail order companies.  The Group is present in the UK, Denmark, Finland, Norway, Sweden, Iceland, Latvia, Estonia and Lithuania with and employs over 500 staff.

Commidea has built a reputation for reliability, innovation and excellence and has developed Ocius, a Chip & PIN solution which is pre-certified by the banking community that has set new standards within the industry. Ocius Sentinel, is the first UK certified solution to offer complete end-to-end encryption enabling fast and secure processing.

Working with a network of business partners throughout the UK, Commidea delivers a managed, PCI DSS compliant, multi-channel payment solution to all sizes of business. Commidea also supports many of the country’s leading specialist distributors and system integrators.

www.commidea.com  and www.pointinternaional.com

About Foregenix

Foregenix is an independent, specialised information security business with strong experience in the PCI DSS, PA-DSS and account data compromise investigations (forensic investigations).  Foregenix provides the following services to their clients across the EMEA (Europe, Middle East and Africa) region:

• Account Data Discovery
• Forensic Investigations
• PCI DSS
• PA-DSS
• Security Consulting
• Penetration Testing
• Security Software Development

For more information, please visit the Foregenix website or contact us on 44 (0) 845 309 6232.

www.foregenix.com

For more information or interviews with Commidea and Foregenix contact:

Lucy Marshall or Kirsty Sewter                                   

Fourth Day PR                                                           

020 7403 4411                                                                       

lucy@fourthday.co.uk