Monthly ArchivesJune 2009

MerchantWARE Goes Blackberry, and the story of the unvalidated payment application standard

The Merchant Maven posted a release about Merchant Warehouse’s new Blackberry version of MerchantWARE, following in the footsteps of the apparently successful iPhone application.  This new trend is yet another example of a need for good moble payment security. While the software company states that the application complies with both PCI DSS and PABP, it is not listed on the official Validated Payment Application list as either validated under PABP or PA-DSS.  That only means that they have not had an assessment performed and paid the required fees to get it listed on the site. Acquirers are wary of Point of Sale (POS) vendors and POS implementers, all because of a few bad apples.  The restaurateur is at a particular ...

Continue Reading

The Final Word on MasterCard’s New Levels standard

It’s been a little over a week now since MasterCard tool the PCI world by surprise and changed their reporting requirements for Level 2 merchants.  Whether you are currently a Level 1 or Level 2 merchant, these changes affect you.  Here’s the summary and rundown. MasterCard posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and perform an on-site assessment before December 31, 2010. In addition, Level 1 merchants that were previously self-assessing may not self assess anymore, and must use a QSA for their PCI Assessments.  This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually, and allowing ...

Continue Reading

Much Ado About Nothing, Merrick v. Savvis Update standard

Don’t write Savvis off yet! Dave Navetta posted an update to the Merrick v. Savvis case that every QSA is closely watching. Savvis filed a motion to dismiss in response to the lawsuit. I’m not a lawyer, but I’m glad David is. He explains the reasoning, and even mentions that Merrick’s potential procedural error (or end-around) could get this case dismissed before the substantive merits of the case can be explored, thus continuing to leave the world in the dark about more potential liabilities involved with performing PCI Assessments. Go check it out!

Continue Reading

Clarification on MasterCard Level 2 Requirements standard

Javelin Strategy & Research posted an update to the new MasterCard Requirements. After speaking with John Verdeschi, Robert Vamosi pointed out an error in our initial analysis. After re-reading my material, I looked at one piece of information and made a leap (incorrectly) about the intent (see the final word here). John clarified that the intent is to use the next eighteen months as a transition period. Level 2 merchants should both submit a SAQ, and also have an On-Site assessment completed so they can submit a Report on Compliance by December 31, 2010. This means that Level 2 Merchants effectively have eighteen months to complete a readiness assessment, remediate, and validate compliance. Sorry for the confusion folks, and thank ...

Continue Reading

Nevada’s New PCI Law standard

You’ve probably heard about it by now. Thanks to a friend doing business in Nevada, I was alerted to this new law last week. Nevada is now the second state to enact laws requiring companies to comply with PCI (though, arguably, the Massachusetts Identity Theft Prevention Regulations seemed to have been lifted at a high level from PCI), the first being Minnesota. David Navetta has a great analysis from a legal perspective, and Chris Mark published his thoughts as well. One thing that is interesting about the Nevada law is an apparent Safe Harbor provision. Will this added pressure force more religious views on payment security and compliance inside companies? Or will companies continue to roll the dice with their ...

Continue Reading

More on NRF’s Letter to PCI SSC, and the Wireless Network that Could standard

A couple of weeks ago, I jotted down a few thoughts on the letter from the NRF to the PCI-SSC about the PCI Standards. My post was a bit rant-ish, but Anton Chuvakin threw down a great review in his blog yesterday. The only point that I wanted to add a different opinion on is the use of WEP. I’ve been a proponent for wide open wireless networks in corporations for a few years. I argue that because network compromises are either hit-or-miss with advanced encryption technologies, most hackers default to attacking hosts instead. One of our own testers is known to breach networks that security professionals thought were virtually impenetrable. He didn’t do it by packing a Cray into ...

Continue Reading

More on MasterCard’s Level 2 Change standard

On Wednesday, we discussed MasterCard’s new requirement for Level 2 merchants to have an on-site assessment performed instead of submitting the Self-Assessment Questionnaire (see the final word here).  This news prompted a flurry of information around the new requirement and has merchants asking lots of questions. I clarified a couple of items from my last post and wanted to make sure they were clear. MasterCard’s 2010 deadline is more of an end to submitting SAQs as opposed to a deadline to be validated by a QSA.  This means that Level 2 merchants will continue to be able to submit SAQs until December 31, 2010, after which they will need to have the on-site assessment, performed by a QSA. The On-Site ...

Continue Reading

NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants standard

Thanks to Smiley for the tip!  See the final word here. MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually. While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided ...

Continue Reading

Are you passionate about security? standard

People often come up to me and say things like, “Wow, you really are passionate about your work!” Aside from the old “Do what you love, and love what you do” adages our great grandparents regurgitate to us when they see us struggling with some arguably trivial thing in our work lives, passion is something that people can see on you. We’ve all sat through one of those talks at a conference or an association meeting where it is clear that the speaker is just going through the motions. Maybe they are not just reading right off the slides, but you can tell that the only thing they are thinking about is hitting the tables, bar, or airport. Did you ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!