Monthly ArchivesMay 2008

Is PCI Working? standard

I was asked this question while sitting on a panel at RSA, and I think the answer depends on your perspective. I’ll answer this from a security industry perspective. If nothing else, you have to credit PCI with forcing the issue. Security among retail enterprises was generally limited to loss prevention and physical security until recently. Information security usually existed as a small and buried team within the Information Technology group, and did not have board level attention. If someone at the board was savvy enough to realize that security reporting to IT is an example of the fox guarding the hen house, then maybe they moved security into Internal Audit. Now we are seeing a massive amount of development ...

Continue Reading

See you at the Gartner IT Security Summit! standard

Are you making the trek to DC next week for the Gartner IT Security Summit? VeriSign will be there, and I’ll be speaking on Monday, June 2, at 4:15PM in Potomac 6. It’s time to discuss the classic transmogrification, changing the tactical PCI approach to strategery. Phew! Anyway… Come see my presentation or stop by the VeriSign booth! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

Will your QSA Breach your Contract? standard

Your QSA may not be telling you the whole story. No, I’m not talking about sloppy assessment work. What I’m referring to is a clause that is supposed to be in your contract with your QSA. The DSS Validation Requirements for Qualified Security Assessors requires that QSAs put a notification in their contracts with their customers telling them that the ROC and supporting materials can be disclosed (Section A.6.3 in the doc linked above). Why does that language need to be in the contract? Because the QSA agrees to send the ROC to certain parties per the operating agreement! In a recent competitive bid situation, we were informed that two (of four) bidders DID NOT have such language in their ...

Continue Reading

PCI News Flash! PCI-DSS Version 1.2 to be released in October standard

If you had any action on the Vegas odds for the release of the next DSS and what it might be called, time to cash in. I was speculating that it would occur around the time of the conference this year, and it would have been called 1.2 (vs 2.0). Ahh, you win some, and you lose some. The official release is here, and hints that there may be some new requirements coming down the pipe. They typically give 18-24 months to implement, so no need to panic now. But watch out for more controls around wireless! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete ...

Continue Reading

Will you meet the 6.6 PCI Requirement by June 30? standard

Well? Will you? We’re waiting!?? Hopefully your bank is not taking THAT approach to checking on your status, but I know many merchants are feeling the heat. Jaikumar Vijayan from Computer World writes that when this deadline passes, most people will not be in compliance. If you read the letter of the law, yes, I would agree. But based on the guidance released by the council, if you are compliant with the rest of the standard, there is a pretty good chance you are compliant with 6.6. In this clarification, The Council declared the intent of the code review component to include “Manual web application security vulnerability assessment” and “Proper use of automated web application security vulnerability assessment (scanning) tools.” ...

Continue Reading

PCI News Flash! QSA Lookup! standard

Do you wonder if the consultants that your QSAC sends on-site are actually QSAs? Well now you can check! For some reason, all of VeriSign’s QSAs don’t appear in this list, but we’re diligently working to correct that. I can only imagine the large QSACs are probably flooding Cathy with email right now. Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

Brando, On Writing standard

Greetings everyone! Go check out my guest post on Karen Swim’s fantastic blog, Words for Hire. “Step 1: Extinguish the precipitous rubescent LED-based luminosity!” Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

Why PCI will Never be a Federal Mandate standard

One of the arguments for becoming PCI compliant is to keep this an industry regulated certification, versus having to deal with a federal mandate like Sarbanes-Oxley. People often ask me if I think PCI will become a federal mandate. I don’t think it is possible. Most federal mandates are designed to protect their citizens (I said MOST… ok?). The electronic payment system already has mandates to protect the citizens. For example, did you know that the Fair Credit Billing Act limits your liability to $50 for unauthorized charges? Personal experience says $0 liability if the physical card is still in your possession. PCI is designed to minimize losses to issuers and the brands caused by a credit card breach and ...

Continue Reading

Am I too trusting? standard

Monday was presentation day at CSI-SX. I had a decent crowd, for the breakout session! One day, I’ll do a talk that is not the last session of the day 🙂 While I was in between sessions sitting in the speakers lounge, one of the other speakers (I did not catch his name) dropped his computer bag and jacket on the chair across from me. I looked up, nodded, and went back to my work. He proceeded to pull out one of those laptop locking devices that you see at public terminals. You know, the ones you can beat with a toilet paper tube. He then secured the whole apparatus (bag included) to the chair! A conference chair. The ones ...

Continue Reading

PCI Council Reinforces Standard standard

The PCI Security Standards Council released a statement yesterday defending the PCI-DSS against claims that the standard is not strict enough and will not protect against common attacks. This is the first real communication we’ve gotten from the council since the announcement of the Hannaford breach earlier this year. This statement is the first to be released to try and counter the negative press from Hannaford telling the world that they were compliant with PCI. This was the first breach of a Level 1 merchant that had validated compliance through a QSA. After reading the statement from the council, vague as it is, merchants should feel better about their PCI programs. The PCI DSS, if properly implemented on a merchant ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!