Monthly ArchivesSeptember 2007

2 Weeks Later, the shock wearing off yet? standard

Two weeks ago, we released our recent study on why companies are failing PCI. We based our report findings on 60 recent PCI assessments involving 50 different large companies. Since then, there have been multiple media outlets that have picked up and commented on the report. One in particular I’d like to review is an article by TechTarget (which interestingly enough, now has a new title). When Keith Gosselin of the Biddeford Savings Bank in Maine was told that our report showed that nearly half of the companies are failing requirement 11.2 (quarterly scanning), he stated, “It surprises me how high that number is.” I think this was a big shocker for us as well, but after letting the shock ...

Continue Reading

What I Don’t Know WILL Hurt Me standard

This one still amazes me every time I see it happen. I would think that by now, people would try to understand what they don’t know so they can deal with it. I am dead wrong. I’d like to reflect back to a conversation I had with an Information Security Director in a prominent company in the transportation industry. The reason why the industry is important here, is we met with this individual after the 9/11 attacks. Most people in the transportation industry were hyper-sensitive to security at the time. We went in and were pitching enterprise security intelligence services–something that might be relevant to this individual. This individual welcomed us into an office, allowed us to talk about this ...

Continue Reading

PCI News Flash! Visa posts compliant merchant percentages! standard

In an effort to continue to boost compliance, Visa USA is now publishing a report that details their merchant compliance by level. According to my contacts inside Visa USA, this list will be updated on a monthly basis. We are all expecting the numbers of compliant Level 1 & 2 merchants to increase as fine deadlines approach. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

Acceptable Losses, a Customer Perspective standard

I recently did some work for a customer that had an interesting perspective on the physical security of devices. We were talking about putting some specific controls in place to hold encryption keys, and when we mentioned that we could put them on little USB sticks (not an HSM, but think like that), they said “Oh, if we do that they will disappear from the stores.” Employee or customer theft of devices sure does not come up as something we deal with every day. This particular company ran largely a cash-based business, and had a very small group of customers that paid by credit card. They were actually considering completely dropping all credit card acceptance because of the added risk ...

Continue Reading

PCI News Flash! PCI-SSC adds PED Security Requirements standard

The PCI-SSC announced today (ok, the date says Tuesday, but it was not posted until this morning) that they are adding PIN Entry Device (PED) security requirements into their domain of responsibility. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

The Problem with Scale standard

One of the big problems with building a business is ensuring that processes & procedures scale. Information Technology programs are no exception. We spend as much time as we can building in automation such that our precious resources are not consumed repeating a task over and over. Security is no different. In fact, there are several tactical security tasks that require strategic planning in order to scale them. For example, patch management tends to be a big issue for many companies, especially retailers. How do I create a system that allows me to do massive patching with limited (if any) downtime? How can I ensure a high rate of success? How do I keep exception management to a minimum? We ...

Continue Reading

Visa Issues Eliminating Cardholder Data Brief standard

Late last night (well for me in Central time), Visa posted a new brief on their CISP website regarding eliminating the storage of prohibited cardholder data. Essentially, this is just another data brief explaining how to look for and remove prohibited data. Prohibited data as defined by the PCI Data Security Standards, Requirement 3.2, includes such things as CVV/CVC Data (as found in the magnetic stripe of the card), CVV2/CVC2/CAV2/CID (3 or 4 digit code in the signature panel or front of the card), and the PIN or PIN Block. According to the brief, there has been a number of compromises recently where prohibited data was stored. For more strategies on eliminating cardholder data, please read my paper entitled “More ...

Continue Reading

WDOCD: Secure File Transfer standard

This episode of What Do Other Companies Do is typed before a live studio audience. The question comes from Bill of Jack’s Joke Shop (Remember, “If it ain’t funny, it ain’t worth jack!”), and he asks: “We’re looking for a large file transfer solution that will secure data in-transit. We have a small I/T shop and Help Desk and do not have the capacity to handle user provisioning & management for a solution, and really don’t want to start managing a file repository with aging requirements. Like most companies, we are subject to various compliance initiatives such as PCI, HIPAA, and GLBA, but our top management has asked us to exceed compliance baselines where possible. What do you see other ...

Continue Reading

Boss, I Think Someone Stole Our Customer Data standard

This month in Harvard Business Review, we finally get a case study that applies to Information Assurance! “Boss, I Think Someone Stole Our Customer Data” ($4 PDF) tells a story that many CEOs fear, and some can give you a first hand account about–a breach of customer data. While the case study does speak in some general terms, it is an excellent table-top exercise to run through during your regularly scheduled incident response plan test. This exercise should include various functional groups such as Legal and Marketing in addition to the traditional security or information technology employees. The case study is written in general terms, and can be used multiple times as the law changes. Possibly Related Posts: Selective Domain ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!