Data Security

Introduction
The Payment Card Industry (PCI) Security Standards Council™ guides the efforts of Chief Information Security Officers, Compliance Officers, and others who protect cardholder information for payment card issuers, merchants, banks, processors, and service providers. The Council's PCI Data Security Standard (DSS) is a comprehensive set of requirements for security infrastructure, policies, and practices, intended to improve the security of cardholder and account data throughout the industry.

As the PCI Council completes its fifth year of operation, this paper reviews:

• successes and setbacks of the PCI Data Security Standard

• implications of the Council's new Prioritized Approach to DSS

• practical steps professionals can take to improve data security and maintain PCI DSS compliance

• effects of emerging technologies and legislation

This paper is an update and guide, not a tutorial on PCI DSS. Readers new to the standard should consult the excellent materials1 available from the PCI Security Standards Council itself, or one of the many introductory guides available from solution providers.

Compliance and Security
Few doubt that PCI DSS has helped standardize industry security practices and improve data protection. Often cited as a model for industry self-regulation, DSS helps card brands, issuing banks, merchants, and others reduce direct losses from fraud, and risks of reputation loss and litigation from data security breaches. Industry members comply with the standard out of direct financial self-interest, or indirectly to support the interests of powerful partners. DSS has been especially effective at improving security practices on the industry's front lines. In the words of Ellen Richey, Chief Risk Officer for VISA, "More than 90% of the largest card accepting merchants and about 97% of processors in the United States have validated compliance with PCI. The companies that fully embrace it are protecting themselves every day by maintaining their defenses, scanning systems, detecting anomalies and addressing threats."3 continue reading...

Executive Summary
Cloud computing is one of the hot topics of our day. And it deserves all the attention, because it has the potential to deliver a wide range of innovative services for the management of infrastructure, development platforms, software applications, and complex business processes more efficiently and cost-effectively than ever before.

It will also speed up the development of intelligent, proactive “next gen” documents that will improve the productivity of Knowledge Workers around the world, But several challenges lie in the way before the cloud becomes a widely accepted paradigm for computing. There are concerns about security. And there is considerable confusion about the relative merits of public, private and hybrid clouds.

Nevertheless, cloud computing is fast-becoming a dynamic force in the business
world. And forward-thinking clients have discovered that the right approach to
cloud-based services can help them improve performance and create a
competitive advantage today. For more information, please read on... continue reading...

What You Need to Know to Protect Your Data.

A CBS news story recently detailed the unfortunate compromise of customer data stored on the hard drive of several multi-function printers (MFPs). Since this story aired, several Xerox customers have been understandably concerned. They want to know what features and functions are available on their current MFP equipment to ensure that their data is not compromised. And most importantly, they want to know how to dependably remove customer data from their machine at the end of its useful life. The solutions to this challenge are many. Some systems have disk encryption or 3-pass disk overwrite software available on the machine. These systems are fully protected against data compromise if the features are utilized. However, most in-place systems at customer sites do not have these features on the systems. In these instances, customers are generally advised to either upgrade themachine with a security kit or to pay to have the hard disk removed prior to leaving the customer’s facility. In either case, it’s an expensive and time consuming process that customers have not incorporated into their budgets.

A Competitive Trade-in Option to Address MFP Security Concerns.

If a customer trades their competitive equipment with Xerox as part of a new MFP implementation, Xerox will crush the equipment making any residual customer data inaccessible. The Xerox process will involve crushing the hard drive to prevent retrieval of any residual data on the machine. The Xerox process includes pick-up of the competitive equipment from the customer site and maintaining custody of the unit until it is dropped off at the destruction facility. Xerox tracks the equipment while it’s under our control to ensure the integrity of the process until the unit is crushed. This process will give our customers “ peace of mind” that their data is protected if their current non-Xerox equipment is traded for new Xerox equipment. Additionally, virtually all new Xerox MFP equipment comes standard with 128-bit AES disk encryption as well as 3-pass disk overwrite features to ensure that our customer’s data is protected from day one on their new equipment. continue reading...

Xerox has the answer
Use the Xerox® Secure Print feature. If you don’t want your confidential or private documents to be left in the output tray, open for viewing, or even taken by someone else, Secure Print allows you to control the print timing of your documents. You can now optimize your print solution by using a workgroup device to print all your documents, without worrying about security!

Here’s an example:
You need to print your company’s product roadmap or an employee’s development plan. In the past, you may have used a personal printer to print these types of files. With Secure Print, the workgroup printer becomes your own personal printer! Print the file, and in the print Properties section, select Secure Print from the menu (this varies from device to device: see your user manual for exact instructions). Select a passcode of your choice and send the job to be printed. The job is held in the job list until you release it. At the device control panel, type in your passcode and the document prints. You control when the print takes place! Best of all, if multiple jobs are held using the same passcode, they are all released for printing at once – making it easy and quick for you to collect your jobs. continue reading...

In today’s office, multifunction devices can print, copy, scan to network destinations, send email attachments, and handle incoming and outgoing fax transmissions. If everyone has access to your multifunction printer, that means just about anyone can launch attacks against the network and network resources ranging from simple (picking up documents left in the output tray) to complex (distributing documents over the network or accessing confidential information).

Xerox is committed to helping you secure your environment and achieve your regulatory compliance objectives through systems, software and services designed to provide security that assures the confidentiality, integrity and availability of critical document and network assets. continue reading...

The Challenge:
Federal government policy requires that all networked devices used in national security systems meet specific information assurance goals including strict levels of integrity, confidentiality, and availability for systems and data, accountability at the individual level, and assurance that all security claims are objectively verified.

The Solution:
Common Criteria Certification, administered by the National Information Assurance Partnership (NIAP). This is a rigorous process that includes the testing of devices against security requirements by accredited, third-party laboratories.

The Xerox Advantage:
In addition to delivering exceptionally well-architected and highly productive devices into the office environment, Xerox has received Common Criteria Certification for the WorkCentre M35/M45/M55 and WorkCentre Pro 35/45/55. As part of the certification process, the security of the embedded fax function of these devices was also validated. No other multifunction device manufacturer has obtained third party assurance that fax and network lines are separated. continue reading...

Protecting sensitive, proprietary or classified information has always been challenging. Nevertheless, before the advent of today’s digitally networked offices and increasingly sophisticated threats, maintaining airtight security of confidential documents often meant simply putting those documents away and locking the door behind you at the end of the workday.

In this uneasy, post-9/11 environment, however, managers in government as well as healthcare, financial services, pharmaceuticals and other segments of corporate America are more aware than ever before of the need for deploying more sophisticated document security processes and technologies to ensure confidentiality. continue reading...