Monthly ArchivesSeptember 2009

The Definition of Cardholder Data standard

The definition of cardholder data for most of us usually stops at the Primary Account Number, or PAN.  Those pesky digits that we have to protect as they run through our systems cause CIOs to cringe and security professionals to salivate over potential budget money.  Before you can embark on your information security journey, you need to understand what you must secure, and where it is.  I’ve posted about this before. As this is one of my most popular posts, I wanted to go back and revisit this post. When I wrote this post, we were still dealing with PCI DSS v1.2.1. While the definition has not changed in more recent versions, the landscape has quite a bit. I’ve updated ...

Continue Reading

Ask the Council standard

Vegas is in the books, baby!  I’d call it a successful community meeting.  The networking opportunities were fantastic, and the sights were awesome1.  For those staying in THEhotel, we got to walk off calories consumed with the long walk from the room to the conference center that we made at least twice daily.  Of course, it is Las Vegas.  It’s REALLY hard to concentrate when you know that you don’t have to walk far to be bombarded by flashing lights, bells, whistles, and other sensory delights designed to make you give money to the casino.  I came out about even. WIN. The first posts and stories have already started coming out; I’ve submitted my feedback on the meeting, and now ...

Continue Reading

PCI Community Meeting Update Schedule standard

The meeting this year promises to be a goodie!  What you won’t see from attendees (including me) is any live blogging or tweeting about the meetings this year.  I’m going to be responsible this year, and will blog about the event AFTER it happens. Don’t expect any confidential information to be revealed (though that’s not something you should expect from me if you have been reading my blog for any period of time now).  Concepts that you might find here will always apply knowledge in a general manner.  I will do some kind of wrap up posting series next week. So this week, look for us at the PCI Community Meeting, and come to the Welcome Reception sponsored by VeriSign ...

Continue Reading

Why You Should Love a PCI Hater! standard

Ahh, the haters.  Everyone that deals with PCI on a regular basis knows one.  Sometimes they take the form of a guy that doesn’t want to actually do his job, or an armchair security gal, or your nemesis that uses his industry position to irresponsibly spread false propaganda, or true security experts that point out serious concerns or flaws with the standard.  As security professionals, we key stakeholders (including QSAs, ASVs, payment brands, and the framers of the standard itself) need to listen to the last group intently to ensure that we understand the risks as it pertains to the changing threat landscape, making adjustments where appropriate to protect the data entrusted to us. PCI haters are valuable people.  By ...

Continue Reading

PCI Community Meeting, Vegas! standard

I hope to see many of you next week at the PCI Community Meeting in Las Vegas!  VeriSign will have a booth and is a sponsor for the event.  If you are going, please do stop by our booth and attend our sponsored cocktail hour!  We’ll have some goodies and some exciting news for everyone that stops to chat! At this point, I’m not sure what kind of coverage I’ll be able to provide from the meeting, but more on that soon. Before you arrive for the sessions, I urge you to review the myriad of information available on the PCI Security Standards Council website, including the recently published SIG papers, and prepare your questions.  This is your chance to ...

Continue Reading

The Power of Pipes standard

Boy, after today, I feel like a guy that just discovered how to send a text message. Yahoo Pipes has been around for over two years and I remember lots of buzz about it in 2007.  For whatever reason, I never could find a good application for Pipes, and when I played around with the interface, I never got things to work right. Until NOW. I’m a football guy.  Yeah, some of you out there have your baseball, hockey, basketball, and NASCAR, but I’m a football guy.  Maybe it’s growing up in Texas, or maybe it was all the Sundays watching the legendary Dallas Cowboys of the early 90s, or the Dallas Cowboys patterned shirts that my mom made for ...

Continue Reading

The Dangers of Hindsight standard

Bob Carr gets it. He had to suffer through one of the largest credit card breaches on record to get there, but he gets it. Digital Transactions Magazine published an article featuring Carr entitled Don’t Hire a QSA by Seeking the Lowest Bid, Warns Heartland’s Carr.  In it, Carr painfully recalls how his previous assessors did not provide him much value, and how the low-cost bid rarely ever the best bid.  If you read his article, he doesn’t specifically argue that costs should start escalating quickly, but rather he argues that companies should spend the time to get a QSA that does a thorough job, and is not motivated to get in the door, go as quick as possible, and ...

Continue Reading

Getting the Most from your QSA standard

Bill Brenner of CIO magazine published a feature article on Wednesday entitled “4 Ways to Get the Most From Your PCI QSAs” where he picks four main things to focus on when using the services of a QSA.  VeriSign published a whitepaper last year reviewing several items to consider when shopping for a QSA, all of which tied back to Brenner’s recommendations. Brenner asserts that the four ways to get more from your QSA are: Choose your vendor wisely. PCI compliance is probably an important project to your organization, so be sure you find a QSA that will make your project successful.  Don’t hastily throw a solution together, treat it like the strategic project it is (and then treat it ...

Continue Reading

Visa Makes Registration Easier! standard

Are you a service provider frustrated with the steps you have to go through to become listed on Visa’s global list of PCI DSS validated service providers?  The process of getting listed when you are not a member or a direct agent of a member seems clouded and painful, until now! Visa recently added a very detailed Third-Party Agent (TPA) section to the Risk Management section of their website that details exactly what needs to be done to be listed on the site.  If that were not enough, there is a fantastic FAQ in PDF form that you can take with you wherever you go. As part of this change, Visa eliminated all of the old classifications like Independent Sales ...

Continue Reading

Oracle cracks everyone up standard

Did anyone else giggle a little bit when they saw that Oracle delayed its quarterly patch release because it would coincide with the OpenWorld 2009 Oracle conference?  According to Oracle, they didn’t want administrators to have to choose between installing updates in a timely manner and attending the conference. That’s funny for me because I have NEVER met an Oracle DBA that was excited about pushing patches to their servers in a couple of days (the original release was slated for October 13, and the conference ends on the 15th).  In fact, between Oracle DBAs and z/OS Administrators, I don’t know who wins the prize for yelling the loudest about patching within thirty days. THIRTY days. Not two days.  THIRTY ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!