PCI and Data Security The Prioritized Approach and a Look Ahead
Introduction
The Payment Card Industry (PCI) Security Standards Council™ guides the efforts of Chief Information Security Officers, Compliance Officers, and others who protect cardholder information for payment card issuers, merchants, banks, processors, and service providers. The Council's PCI Data Security Standard (DSS) is a comprehensive set of requirements for security infrastructure, policies, and practices, intended to improve the security of cardholder and account data throughout the industry.
As the PCI Council completes its fifth year of operation, this paper reviews:
• successes and setbacks of the PCI Data Security Standard
• implications of the Council's new Prioritized Approach to DSS
• practical steps professionals can take to improve data security and maintain PCI DSS compliance
• effects of emerging technologies and legislation
This paper is an update and guide, not a tutorial on PCI DSS. Readers new to the standard should consult the excellent materials1 available from the PCI Security Standards Council itself, or one of the many introductory guides available from solution providers.
Compliance and Security
Few doubt that PCI DSS has helped standardize industry security practices and improve data protection. Often cited as a model for industry self-regulation, DSS helps card brands, issuing banks, merchants, and others reduce direct losses from fraud, and risks of reputation loss and litigation from data security breaches. Industry members comply with the standard out of direct financial self-interest, or indirectly to support the interests of powerful partners. DSS has been especially effective at improving security practices on the industry's front lines. In the words of Ellen Richey, Chief Risk Officer for VISA, "More than 90% of the largest card accepting merchants and about 97% of processors in the United States have validated compliance with PCI. The companies that fully embrace it are protecting themselves every day by maintaining their defenses, scanning systems, detecting anomalies and addressing threats."3
SHARP COMMON ACCESS CARD (CAC) OPTION
The Common Access Card (CAC) was developed in response to HSPD-12 Homeland Presidential Security Directive. It is used by the Department of Defense (DoD) and other federal departments as an identification for active-duty military personnel, reserve personnel,
civilian employees, non-DoD government employees, State Employees, the National Guard and eligible contractor personnel.
The CAC is used as an identification card as well as for authentication to enable access to DoD computers, networks, and certain DoD facilities. The CAC can be used to enable different MFP functions for users/groups depending on their access privileges such as Color, Copy, Scan, Fax, Print and store documents. (In addition, it will enable encrypting and crypto-graphical signing of e-mail using recipient/user key sourced from the CAC.)
The CAC kit takes advantage of Sharp expertise in Information Security technology and CAC authentication to deliver more secure MFPs. The kit is available exclusively to support the Federal Government and the Department of Defense (DOD) users that require CAC authentication support.
Sharp offers two CAC options:
• The MX-EC50 is an enhanced integrated option for Sharp’s latest MX series MFPs. It includes a USB CAC reader and an activation key.
– In order to activate the CAC option the Data Security Kit (DSK) must be installed.
• The DCL310S external CAC option supports all connected Sharp MFPs 23 ppm and up.
THE SHARP COMPREHENSIVE APPROACH TO SECURITY
Sharp takes a comprehensive approach to security by protecting every step in the document lifecycle, from the initial copy/scan/print/fax to final output and distribution. Fully scalable, Sharp’s Security offerings enable Information Technology (IT) personnel to confidently safeguard their infrastructure and MFP installed base, without impacting network traffic or workgroup productivity.
Canon imageRUNNER ADVANCE Security
INTENT OF THIS DOCUMENT:
Canon recognizes the importance of information security and the challenges that your organization faces. This white paper provides information security facts for Canon imageRUNNER ADVANCE systems. It provides details on imageRUNNER ADVANCE security technology for networked and stand-alone environments, as well as an overview of Canon’s device architecture, framework and product technologies as related to document and information security.
This white paper is primarily intended for administrative personnel responsible for the configuration and maintenance of imageRUNNER ADVANCE systems. The information in this document, in conjunction with other best practices, may be used as guidance to help improve your organization’s overall security. Some security settings may affect device functionality or performance. You may want to test these settings before deploying them in your environment to ensure you understand their effects.
Canon does not warrant that use of the information contained within this document will prevent malicious attacks, or prevent misuse of your imageRUNNER ADVANCE systems.
> Security and Lexmark Multifunction Products: Overview of Features
Executive Summary
Multifunction products, or MFP’s, are complex network devices that require careful security consideration. Lexmark MFP’s and networking products include a wide array of security features. This document discusses the security features of Lexmark MFP’s and provides an overview of their benefits and their implementation.
Any device that is placed on a network must be evaluated with respect to security. How does the device protect itself from unauthorized access? Does the device expose the network to any form of vulnerability? What sort of information does the device process and what are the security considerations related to that data? These, and many other questions, are appropriate to ask of any networked device, including networked MFP’s.
Networked MFP’s operate independently on networks and can be a focal point for sensitive information. Securing them is in some ways comparable to securing other conventional networked devices such as computers. The need or controlled network access and the need for secure remote management are largely the same for MFP’s and workstations. In other areas, the security considerations around MFP’s are substantially different. MFP’s generally don’t run conventional operating systems, the concept of user authentication is applied differently, they do not have network file shares that need to be secured and they probably do not need or support antivirus software.
This document will define the major areas of security concerns related to MFP’s and provide an overview of the security features of Lexmark MFP’s that allow the devices to be deployed, managed and used in a secure manner.
Data Protection for Businesses with Remote Offices Across Multiple Locations
In today’s information age, protecting critical data of an organization’s branch offices, across multiple locations, should be standard practice. However, delivering a robust data protection strategy in environments with limited resources and often untrained personnel, can prove challenging. IDC quantified the size of this challenge: one-fifth of large companies have over 50% of their data in remote offices1, and another one-third of large companies have 20-50% of data in their remote offices. Very often, business-critical data at remote or branch office (ROBO) locations is inadequately protected, exposing the business to greater risk of lost data and lost productivity.
Introduction
A study conducted by industry analyst Enterprise Strategy Group found that the top three IT priorities for remote office / branch office (ROBO) locations were driven by business priorities: to improve information security, ensure regulatory compliance, and enhance disaster recovery2. However, the many choices in data protection technologies and approaches, coupled with a wide range of vendors to choose from, can make data protection planning a daunting endeavor.
This white paper drills deeper into these challenges and the considerations for a better way to approach data protection. It also explains how the HP data protection portfolio can help businesses overcome their data protection challenges, and drive better business outcomes. The white paper includes a glossary, defining terms used to expand data protection approaches, and where customers can find further information on HP data protection offerings.
Can You Trust the Cloud? A Practical Guide to the Opportunities and Challenges Involved in Cloud Computing.
Executive Summary
Cloud computing is one of the hot topics of our day. And it deserves all the attention, because it has the potential to deliver a wide range of innovative services for the management of infrastructure, development platforms, software applications, and complex business processes more efficiently and cost-effectively than ever before.
It will also speed up the development of intelligent, proactive “next gen” documents that will improve the productivity of Knowledge Workers around the world, But several challenges lie in the way before the cloud becomes a widely accepted paradigm for computing. There are concerns about security. And there is considerable confusion about the relative merits of public, private and hybrid clouds.
Nevertheless, cloud computing is fast-becoming a dynamic force in the business
world. And forward-thinking clients have discovered that the right approach to
cloud-based services can help them improve performance and create a
competitive advantage today. For more information, please read on...
Canon imagePROGRAF Disk Erase Version
Introduction
The Canon imagePROGRAF series is equipped with a disk erase feature that erases print jobs sent to the printer from the printer's hard disk. This feature completely erases data sent to the printer, such as classified data and private information, so that it is not leaked to third parties.
Generally, data written to hard disks on computers or printers is not completely erased when the memory is deleted or initialized in the usual way. You can use data recovery software to recover deleted data and retrieve information. This is precisely why preventing data recovery and completely deleting data is so important.
Disk Erase Features
The disk erase feature included with the Canon imagePROGRAF series responds to the need for an increased level of security.
The disk erase feature included with the Canon imagePROGRAF has the following 3 modes.
Secure Erase Mode
This is the highest level of erasure. It meets to U.S. Department of Defense requirements (DoD 5220-22.M) for the erasure of disk media.
Data stored on the printer's hard disk is overwritten multiple times and then checked after the final overwrite. This makes hard disk analysis used during disk recovery impossible, preventing data recovery. For more information, see "5 How Secure Erasure Mode Works".
Secure Quick Erase Mode
In this mode, data stored on the printer's hard disk is overwritten once with random data. This prevents data from being recovered using software. This mode erases data quicker than Secure Erase Mode.
High-speed Erase Mode
In this mode, the file management information for the data stored on the printer's hard disk is initialized. Because only the file management information is initialized, the data still remains on the hard disk.
Secure Competitive Trade-in Program for MFPs
What You Need to Know to Protect Your Data.
A CBS news story recently detailed the unfortunate compromise of customer data stored on the hard drive of several multi-function printers (MFPs). Since this story aired, several Xerox customers have been understandably concerned. They want to know what features and functions are available on their current MFP equipment to ensure that their data is not compromised. And most importantly, they want to know how to dependably remove customer data from their machine at the end of its useful life. The solutions to this challenge are many. Some systems have disk encryption or 3-pass disk overwrite software available on the machine. These systems are fully protected against data compromise if the features are utilized. However, most in-place systems at customer sites do not have these features on the systems. In these instances, customers are generally advised to either upgrade themachine with a security kit or to pay to have the hard disk removed prior to leaving the customer’s facility. In either case, it’s an expensive and time consuming process that customers have not incorporated into their budgets.
A Competitive Trade-in Option to Address MFP Security Concerns.
If a customer trades their competitive equipment with Xerox as part of a new MFP implementation, Xerox will crush the equipment making any residual customer data inaccessible. The Xerox process will involve crushing the hard drive to prevent retrieval of any residual data on the machine. The Xerox process includes pick-up of the competitive equipment from the customer site and maintaining custody of the unit until it is dropped off at the destruction facility. Xerox tracks the equipment while it’s under our control to ensure the integrity of the process until the unit is crushed. This process will give our customers “ peace of mind” that their data is protected if their current non-Xerox equipment is traded for new Xerox equipment. Additionally, virtually all new Xerox MFP equipment comes standard with 128-bit AES disk encryption as well as 3-pass disk overwrite features to ensure that our customer’s data is protected from day one on their new equipment.
Xerox® Secure Print Your Piece of Mind for Confidential Documents
Xerox has the answer
Use the Xerox® Secure Print feature. If you don’t want your confidential or private documents to be left in the output tray, open for viewing, or even taken by someone else, Secure Print allows you to control the print timing of your documents. You can now optimize your print solution by using a workgroup device to print all your documents, without worrying about security!
Here’s an example:
You need to print your company’s product roadmap or an employee’s development plan. In the past, you may have used a personal printer to print these types of files. With Secure Print, the workgroup printer becomes your own personal printer! Print the file, and in the print Properties section, select Secure Print from the menu (this varies from device to device: see your user manual for exact instructions). Select a passcode of your choice and send the job to be printed. The job is held in the job list until you release it. At the device control panel, type in your passcode and the document prints. You control when the print takes place! Best of all, if multiple jobs are held using the same passcode, they are all released for printing at once – making it easy and quick for you to collect your jobs.
Ten Things to Know About Data Security
The intellectual property of your business is vital to its continuing success. Therefore, it is important to ensure confidential documents are not susceptible to security breaches. Whether it is a computer virus or a disgruntled former employee, you need to ensure your information is safe from unauthorized viewers. Luckily, with document management systems, it is easy to integrate advanced security features into your current workflows. Electronic Document Management can help protect your documents and increase productivity. If you are unsure if a document management system is right for your business, here are ten things you should know about document security: 
1. Document management seeks to prevent data loss from the various kinds of threats to data. Unless a systematic approach is adopted for document security your business could be shut down by a breach of security.
2. Very few businesses can survive a complete loss of business data. Even partial losses can prove extremely serious, especially to smaller businesses. Consider what would happen if you lost all your customer data and invoice records from a computer virus. It can render you unable to recover your fees from credit customers that can equal a few months of sales. Or consider the secret product formula that gives you an edge in the market being stolen.
3. Document security starts with an intricate look at all the risks documents face and the impact of each. A clear view can make upper management aware of the real dangers that can easily occur, and as a result they are more likely to support security-enhancement measures.
4. One of the primary security measures is preventing unauthorized access to documents. Only authorized persons should be able to access each type of data. Access restrictions should be placed both on classes of data and levels of employees and can be integrated easily with the access controls on your multifunction device.
