Monthly ArchivesAugust 2009

Herding Cats, Bringing You up to Date! standard

I’ve been neglecting you all.  I usually post PDF versions of Herding Cats here on the blog for you all to read!  If you are not an ISSA Member, stop what you are doing and click here to join.  If you are, you can catch Herding Cats in an ISSA Journal online or in print! The last edition I posted was from April.  Here are the ones that I have published since then: The Perimeter has Left the Building, 08/09 Security is a Mindset, 07/09 The Cost of Ethics & Integrity, 06/09 The Breach You DID Expect, 05/09 Don’t forget, you can see all the editions right here on the site!

Continue Reading

Upgrading to Snow Leopard (Quicksilver Fix!) standard

Moments ago, I did the upgrade… to Snow Leopard!  I did this on my laptop first, leaving my desktop out of the picture until I have worked through the process and kinks.  This post will serve as my notes, plus assisting you, on some of the good and bad. First, have you cleaned up your mac?  Before you even think about upgrading, there are a few tasks you should do—like backing up and simple maintenance tasks.  LifeHacker has a GREAT post on this, so before you even think about starting, follow their guide to making a sluggish mac more snappy. That is simply one of the steps in their larger guide to preparing your mac for the Snow Leopard Upgrade.  ...

Continue Reading

PCI SSC Releases Skimming Prevention Tips standard

Skimming (in the credit card world) is commonly defined as capturing magnetic stripe data during the normal payment process by swiping it through an external (or even inline) device before or after the authorization swipe.  External devices are commonly found in stores where a payment instrument is presented, and someone takes the card away from view to process, like at a restaurant.  Inline skimming occurs where the cardholder is present during the swiping, and usually involves tampered swipe devices. The PCI Security Standards Council recently released an EXCELLENT guide with tips on preventing skimming, with sample forms that you can use to track your progress.  Most of the skimming techniques employed can be addressed with physical inspection, something with which ...

Continue Reading

The End of PIN-Debit for Fuel? standard

PIN-based debit authorization rates have recently increased dramatically, some merchants complaining that their auth rates have increased up to four times their previous rate.  In some armchair research, I learned that Interlink (Visa) and Pulse (Discover) have removed interchange caps on transactions.  For most merchants, it is still cheaper to process a PIN-Based Debit transaction than a credit card transaction (on a per transaction basis), but for others it is about the same.  Or at least the difference in cost is so minimal that their volumes don’t force an advantage one way or the other. Visa is enforcing PIN Entry Device (PED) mandates, effective on July 1, 2010, whereby all PEDs must comply with the PCI PED Standard.  For retailers ...

Continue Reading

Visa Gets RSS! standard

Celebrate from the mountain tops!  Visa got some RSS!  Hopefully they will be dutifully (or have scripts) updating the feed, unlike the PCI SSC’s feed (which currently does not include their latest skimming guide) that traditionally lags behind.  RSS is a GREAT way to keep your stakeholders in touch with your programs, but you really do have to stay on top of it!

Continue Reading

Splain it, Brando!, and Finding your Data standard

On Thursday, I threw out a blog post which I hope to be the start of a series playing on Dave Ramsey’s style for financial peace, and realized I played the role of a consultant PERFECTLY (just like Marshall Eriksen might LAWYER you). SK pointed that out for me when he asks me to elaborate. In a back to school fashion, imagine this conversation as played through your teenage daughter’s cell phone. “I was all, ‘Just find the data!’, and he was all, ‘Whatever.'” I am so in touch with today’s youth. SK brought up a good point.  Let’s say you are working with an enterprise that does not have any of the following: 1) a working DLP solution, 2) ...

Continue Reading

Dave Ramsey Applied to Security, Baby Step #1 standard

I’ve been on a Dave Ramsey kick lately.  I like his message and his concept of declaring war on debt.  One of his mantras can save people TONS of cash if they would just use basic things they learned in school. “Do the math!” Everyone out there has a brother-in-law, church buddy, or friend of a friend who is “a finance guy.”  We tend to listen to people we consider experts without questioning their motives, simply because we don’t believe we can comprehend the complexity of the question enough to figure the answer out ourselves. For example, several years ago I went to a car dealership to buy my wife a new car.  I had just recently graduated with my ...

Continue Reading

New Visa Mandates are NON-US/Canada! standard

Well, I was waiting to see if anyone would catch it, and unfortunately it looks like a couple of industries struggling with Visa’s Payment Application Mandates are not going to get a reprieve. Earlier this month, I posted about some new Visa Payment Application Mandates.  What I didn’t drop into the blog post was that Visa made sure this new mandate did not supersede their previous mandate, meaning that US and Canada merchants do not get a two year reprieve and that these are now GLOBAL mandates.  Non US/Canada merchants now have a reason to get moving and deploy up to date payment applications!

Continue Reading

Bob Carr: “QSAs let us down.” And Things Never Heard by a QSA standard

Bob Carr was recently quoted in a Computerworld article saying that QSAs let [Heartland] down.  Of course, he is not referring to his most RECENT QSA, but I’m sure that was an editorial change to make the story more interesting. The article is a fantastic read, but also slightly humorous in nature. I’m going to leave Heartland’s situation out of this post, and look at how other companies that have dealt with breaches. If you want to see what others are saying, check Rich Mogul, Mike Rothman, and Andy Willingham. Nearly every company I have worked with suddenly “Gets Religion” after a breach.  Prior to it, security is not top of mind, therefore things like PCI become burdensome as opposed ...

Continue Reading

MasterCard Clarifies their Position standard

FINALLY!  An official statement from MasterCard!  Last night, MasterCard posted a four page FAQ on their website to help us deal with the onslaught of buzz that came from their original posting.  Some of it anecdotal and humorous (albeit literally true), some of it from this very blog. Here’s the meat of what you need to know: Level 1 merchants that engaged an internal audit team before 15 June 2009 must  validate compliance with a QSA by December 31, 2010. Level 2 merchants must ALSO validate compliance with a QSA by December 31, 2010. Internal assessments MAY NOT be performed.  The way that MasterCard words this, it appears to be a punt over to the Council.  If the Council would ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!