The Green Sheet Online Edition
July 11, 2011 • Issue 11:07:01
More regs, requirements from FFIEC, PCI council
Federal regulators updated their take on Internet security, and put bankers on notice that greater scrutiny of online banking security will begin with 2012 examinations. The Federal Financial Institutions Examination Council is an umbrella group that develops uniform examination practices and standards that span different types of financial institutions.
FFIEC members include the Federal Reserve, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration, Office of Thrift Supervision and a committee of five state bank regulators.
On June 28, 2011, the FFIEC released a supplement to a guidance document issued originally in October 2005 - Authentication in an Internet Banking Environment. The supplement updates that document, describing "supervisory expectation regarding customer authentication, layered security, and other controls in the increasingly hostile online environment," the FFIEC wrote.
The supplement emphasizes the need for regular risk assessments, effective strategies for mitigating risks and raising customer awareness of potential risks. The FFIEC expects examiners to begin using the new guidelines in January 2012. Download the enhanced guidelines at www.ffiec.gov/press/pr062811.htm.
PCI SSC releases list of secure payment app requirements
A list of requirements for payment applications to meet payment industry data security requirements was recently released by the PCI Security Standards Council (PCI SSC). The list clarifies what standards payment applications must meet to be eligible for Payment Application Data Security Standard (PA DSS) validation and listing. The list includes information on how the PA DSS applies to mobile payments.
The PCI SSC manages the Payment Card Industry Data (PCI) Data Security Standard (DSS), PIN Transaction Security (PTS) and the PA DSS. Only payment applications that store, process or transmit cardholder data as part of the transaction and are sold, distributed or licensed to third parties are eligible for the PA DSS program.
Complete information on how to comply with the PA DSS can be found at www.pcisecuritystandards.org/security_standards/documents.php?association=PA-DSS.
The PCI SSC is evaluating mobile communication devices and payment applications to determine the risks involved in validating mobile payment acceptance applications to the PA DSS 2.0 standard. In late June, the council issued its position concerning mobile payment security, "Which Applications are Eligible for PA-DSS Validation? A Guiding Checklist." The council plans to release further guidance by year's end.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.