Monthly ArchivesMarch 2009

Review of PCI Congressional Hearing standard

If you missed it, you can see a recording here! See what the Twitterverse had to say here by searching for #pcihearing. TONS of coverage on this. First, I am very proud of our congress for putting this hearing together. It is clear how serious this situation is when listening to the prepared, pointed statements read in the beginning. I hope I don’t make anyone upset, but I do giggle a little bit when non-techie folks trip up on techie terms. I certainly expect someone would giggle at me if I were reading a statement of detailed medical terms and missed the words. Regardless, huge props for taking the issue on. In the next paragraphs, clicking on the individual’s name ...

Continue Reading

How a Little Push can put you into a Freefall standard

Last week I moderated a panel at a PCI focused dinner in Chicago. Big props to the folks that helped to plan this (Alex, Melissa, Ben, and Diana from VeriSign), the event was great! The panel participants were heavy hitters from the industry including Anton Chuvakin from Qualys, Davi Ottenheimer from Arcsite, and Bill Cook from Wildman Harrold. Anton has a few great points from the event that he has posted on his blog here. We had a fantastic discussion, and there were even great discussions among the panelists that revealed conflicting opinions. We had so much discussion that we were unable to go through the entire list of questions I had prepared. I had thirteen, and we only were ...

Continue Reading

Guest Post: Compliant Compromise standard

The following is a guest post by Frank Castaneira. Frank is a Sr. Consulting Manager inside the Global Security Consulting practice at VeriSign. Matt Hines recently wrote about the PCI Council discussions on applicability and adequacy of the PCI Standard given reported breaches of validated entities such as Hannaford and Heartland. Branden recently discussed the PCI Council conversation on March 6. Branden suggested greater visibility by the Council into the incident response process. This posting amplifies on that solution and provides other perspectives. The discussions mentioned in Mr. Hines article focused on the QSA (Qualified Security Assessor) posture that an annual on-site assessment is relevant only for that point in time. Although, I recognize the issue (point in time), my ...

Continue Reading

Hello Chicago!! standard

I’m sitting in the Starbucks (a.k.a., my mobile office with thousands of locations world wide) on Ohio and State in Chicago preparing for our event this evening. I am moderating a round table discussion with some prominent industry experts around PCI, one of which is the venerable security pundit Anton Chuvakin. If you have a minute, please go read his recent post from his panel in Denver last night. He posed a very interesting question that I think we will be posing to our audience tonight! Check it out! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

Don’t forget to Vote! standard

The Bloggers at RSA are doing awards this year! The Social Security Awards need your nominations. Your nominations are due by March 31, so go vote now! As a reminder, what you need to do to vote is as follows. Go to the link above, then click Next. Under the Most Entertaining Security Blog, put my name, the url ( and that you think I’m WACKY! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

NEWS FLASH: Visa Lists Dates standard

Last night, Visa, Inc. collected a list of dates for upcoming compliance and published them on their website as “Key Dates.” If you ever wondered what dates you needed to hit for Visa, Inc., they are all listed right there! Some of the dates are news to this blogger, so it’s nice to see something official and published, not just things we hear through the grapevine or by talking to various pundits in the industry. The next deadline they list is on March 31, U.S. Level 1 and Level 2 Merchants Prohibited Data Retention Attestation Deadline (applies to newly identified Level 1 and Level 2 merchants late 2007 and early 2008). Possibly Related Posts: PCI DSS 4.0 Released plus BOOK ...

Continue Reading

What SHOULD Keep You Up At Night standard

Times are tough. Unless you are just now coming out of your winter hibernation, you are probably so beaten by that phrase that you are not far off from striking the next person that vomits it upon your day. Listen up executives, this one is for you. Breaches cost money. OK fine, I know that is not paradigm shattering knowledge I just dropped like it was hot. Still, executives miss the mark when trying to securely manage or grow their business. We know this because of the nearly daily additions to the breach list that manages. Executives have been failing at managing long term expectations for years. Any of us that work for a public company know that an ...

Continue Reading

Companies need PCI++ (not just PCI) to be safe! standard

Going through some email over here and looked through the recent edition of The Aegis from the Society of Payment Security Professionals, and found a great little snippet from Chris Mark entitled “Wear Your Seatbelt…and Maybe a Helmet.” In it, he pulls a quote from the PCI SSC that seems directed at detractors of the PCI DSS. They state: “The PCI SSC believes that the best way to protect cardholder data that is stored, transmitted, and processed is by implementing the PCI DSS and remaining in full compliance.” Chris points out that this seems to imply that PCI DSS is the high water mark, not the baseline from which you should build a program. It may just be that a ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!