Monthly ArchivesAugust 2009

Herding Cats, Bringing You up to Date! standard

I’ve been neglecting you all.  I usually post PDF versions of Herding Cats here on the blog for you all to read!  If you are not an ISSA Member, stop what you are doing and click here to join.  If you are, you can catch Herding Cats in an ISSA Journal online or in print! The last edition I posted was from April.  Here are the ones that I have published since then: The Perimeter has Left the Building, 08/09 Security is a Mindset, 07/09 The Cost of Ethics & Integrity, 06/09 The Breach You DID Expect, 05/09 Don’t forget, you can see all the editions right here on the site! Possibly Related Posts: Preventing Account Takeover, Enable MFA! Proofpoint ...

Continue Reading

Upgrading to Snow Leopard (Quicksilver Fix!) standard

Moments ago, I did the upgrade… to Snow Leopard!  I did this on my laptop first, leaving my desktop out of the picture until I have worked through the process and kinks.  This post will serve as my notes, plus assisting you, on some of the good and bad. First, have you cleaned up your mac?  Before you even think about upgrading, there are a few tasks you should do—like backing up and simple maintenance tasks.  LifeHacker has a GREAT post on this, so before you even think about starting, follow their guide to making a sluggish mac more snappy. That is simply one of the steps in their larger guide to preparing your mac for the Snow Leopard Upgrade.  ...

Continue Reading

PCI SSC Releases Skimming Prevention Tips standard

Skimming (in the credit card world) is commonly defined as capturing magnetic stripe data during the normal payment process by swiping it through an external (or even inline) device before or after the authorization swipe.  External devices are commonly found in stores where a payment instrument is presented, and someone takes the card away from view to process, like at a restaurant.  Inline skimming occurs where the cardholder is present during the swiping, and usually involves tampered swipe devices. The PCI Security Standards Council recently released an EXCELLENT guide with tips on preventing skimming, with sample forms that you can use to track your progress.  Most of the skimming techniques employed can be addressed with physical inspection, something with which ...

Continue Reading

The End of PIN-Debit for Fuel? standard

PIN-based debit authorization rates have recently increased dramatically, some merchants complaining that their auth rates have increased up to four times their previous rate.  In some armchair research, I learned that Interlink (Visa) and Pulse (Discover) have removed interchange caps on transactions.  For most merchants, it is still cheaper to process a PIN-Based Debit transaction than a credit card transaction (on a per transaction basis), but for others it is about the same.  Or at least the difference in cost is so minimal that their volumes don’t force an advantage one way or the other. Visa is enforcing PIN Entry Device (PED) mandates, effective on July 1, 2010, whereby all PEDs must comply with the PCI PED Standard.  For retailers ...

Continue Reading

Splain it, Brando!, and Finding your Data standard

On Thursday, I threw out a blog post which I hope to be the start of a series playing on Dave Ramsey’s style for financial peace, and realized I played the role of a consultant PERFECTLY (just like Marshall Eriksen might LAWYER you). SK pointed that out for me when he asks me to elaborate. In a back to school fashion, imagine this conversation as played through your teenage daughter’s cell phone. “I was all, ‘Just find the data!’, and he was all, ‘Whatever.'” I am so in touch with today’s youth. SK brought up a good point.  Let’s say you are working with an enterprise that does not have any of the following: 1) a working DLP solution, 2) ...

Continue Reading

Dave Ramsey Applied to Security, Baby Step #1 standard

I’ve been on a Dave Ramsey kick lately.  I like his message and his concept of declaring war on debt.  One of his mantras can save people TONS of cash if they would just use basic things they learned in school. “Do the math!” Everyone out there has a brother-in-law, church buddy, or friend of a friend who is “a finance guy.”  We tend to listen to people we consider experts without questioning their motives, simply because we don’t believe we can comprehend the complexity of the question enough to figure the answer out ourselves. For example, several years ago I went to a car dealership to buy my wife a new car.  I had just recently graduated with my ...

Continue Reading

New Visa Mandates are NON-US/Canada! standard

Well, I was waiting to see if anyone would catch it, and unfortunately it looks like a couple of industries struggling with Visa’s Payment Application Mandates are not going to get a reprieve. Earlier this month, I posted about some new Visa Payment Application Mandates.  What I didn’t drop into the blog post was that Visa made sure this new mandate did not supersede their previous mandate, meaning that US and Canada merchants do not get a two year reprieve and that these are now GLOBAL mandates.  Non US/Canada merchants now have a reason to get moving and deploy up to date payment applications! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, ...

Continue Reading

Bob Carr: “QSAs let us down.” And Things Never Heard by a QSA standard

Bob Carr was recently quoted in a Computerworld article saying that QSAs let [Heartland] down.  Of course, he is not referring to his most RECENT QSA, but I’m sure that was an editorial change to make the story more interesting. The article is a fantastic read, but also slightly humorous in nature. I’m going to leave Heartland’s situation out of this post, and look at how other companies that have dealt with breaches. If you want to see what others are saying, check Rich Mogul, Mike Rothman, and Andy Willingham. Nearly every company I have worked with suddenly “Gets Religion” after a breach.  Prior to it, security is not top of mind, therefore things like PCI become burdensome as opposed ...

Continue Reading

Visa Sets Payment Application Security Mandates standard

As many of us in the industry had suspected, Visa has delayed its payment application security mandates two years to 2010 (newly boarded merchants) and 2012 (all merchants).  The information was officially released on June 24, but I certainly did not see any public reference to it until recently.  This is rumored to be largely in response to a low supply and high demand issue in the fuel industry. So those of you that were dealing with unrealistic deadlines, you’ve got a reprieve!  Keep pushing though, don’t be one of those guys limping in at the eleventh hour! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why ...

Continue Reading

Featured on the SecureLexicon Podcast standard

Steven Fox, blogger for CSO Online and fellow columnist in the ISSA Journal, interviewed me for his Art of War Podcast where I discuss the parallels between Sun Tzu’s teachings and PCI Compliance.  Of the podcasts I’ve done, this one was particularly fun for me because I had to grab my Art of War book off the shelf and study up for it! Sun Tzu’s teachings apply to PCI and Information Security (it is a war, people) when you read his book in the light of an information security perspective.  Go check out Steven’s column in the Journal, his excellent podcast, and Sun Tzu’s Art of War! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!