Monthly ArchivesFebruary 2008

Dude! Will you blog or something?! standard

Greetings folks! How about a headline wrap-up? Ready? OK! Liquid Bombs? Trivial or did they use a lab? False advertising on drive encryption? Recovering disk encryption keys from RAM? Cracking GSM in 30 seconds? What a week! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

From the Dept of Obvious Statements: PCI Not Just for Cardholder Data! standard

Evan Schuman (Storefront Backtalk) wrote on Valentine’s Day that PCI is not just for payments anymore. Hate it or love it, PCI is a great standard for a baseline of security. You can replace Cardholder Data with just about any type of data you want to protect, and you can establish a minimum baseline that will do a reasonable job of keeping that data protected. Security consultants have been pointing this out for a while. I think the part of this that is the most telling is that the security and IT programs in some companies are so bad and so far gone, that PCI is what is standing it up. Again, I still believe that the PCI-DSS is a ...

Continue Reading

MasterCard updates compliance dates standard

In a recent update to their website, MasterCard has altered its merchant levels to match Visa’s, and is giving Level 2 merchants until December 31, 2008 to validate compliance. This is another entry in the long standing debate about compliance dates, and what that means for merchants. Most of these merchants are already being fined in conjunction with the Visa Compliance Acceleration Program if they have not validated, so the extended dates may indicate fines or tougher pressure by MasterCard as the date passes (this is PURE speculation). This should not add any pressure to existing Level 2 merchants that have not validated, though having 2 card associations looking at you is definitely worse than one. Possibly Related Posts: PCI ...

Continue Reading

New PCI Self Assessment Questionnaire standard

The PCI Security Standards Council has released the long awaited version 1.1 of the Self Assessment Questionnaire (or should I say questionnaires). The key thing here is that the validation requirements are different depending on the type of merchant you are. There are now 4 versions of the questionnaire as opposed to 1, and they do map to the current PCI 1.1 standards. I think I assume that the intent is to keep the SAQ mirrored to the current version of the standards from now on, so we should see them updated this year if the standards are updated as planned. In addition, during the webinar call we asked if PA-DSS is still on track, and the response was “Yes,” ...

Continue Reading

People Hacking! standard

Yes, it’s true that part of the reason I was not posting very frequently is because I was running out of ideas. It is also true that I’ve started following Schneier’s blog again. Anyway… He’s got an excellent post with 2 examples of how Social Engineering was successful in the theft of significant sums of money. Security is made up of People, Process, and Technology, and people are almost always the weakest link. Possibly Related Posts: Improve Outbound Email with SPF, DKIM, and DMARC What’s the craic on KRACK? More Printer Security Talk That Printer is gonna GIT ya! Conference Wrap-Up, 2016

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!