Monthly ArchivesSeptember 2009

The Definition of Cardholder Data standard

The definition of cardholder data for most of us usually stops at the Primary Account Number, or PAN.  Those pesky digits that we have to protect as they run through our systems cause CIOs to cringe and security professionals to salivate over potential budget money.  Before you can embark on your information security journey, you need to understand what you must secure, and where it is.  I’ve posted about this before. As this is one of my most popular posts, I wanted to go back and revisit this post. When I wrote this post, we were still dealing with PCI DSS v1.2.1. While the definition has not changed in more recent versions, the landscape has quite a bit. I’ve updated ...

Continue Reading

Ask the Council standard

Vegas is in the books, baby!  I’d call it a successful community meeting.  The networking opportunities were fantastic, and the sights were awesome ((including seeing Russo dress up like Elvis which I did not take a picture of… see Bob? I can play within the rules :).  More on the handling of social media later…. it was not handled well.)).  For those staying in THEhotel, we got to walk off calories consumed with the long walk from the room to the conference center that we made at least twice daily.  Of course, it is Las Vegas.  It’s REALLY hard to concentrate when you know that you don’t have to walk far to be bombarded by flashing lights, bells, whistles, and ...

Continue Reading

PCI Community Meeting Update Schedule standard

The meeting this year promises to be a goodie!  What you won’t see from attendees (including me) is any live blogging or tweeting about the meetings this year.  I’m going to be responsible this year, and will blog about the event AFTER it happens. Don’t expect any confidential information to be revealed (though that’s not something you should expect from me if you have been reading my blog for any period of time now).  Concepts that you might find here will always apply knowledge in a general manner.  I will do some kind of wrap up posting series next week. So this week, look for us at the PCI Community Meeting, and come to the Welcome Reception sponsored by VeriSign ...

Continue Reading

Why You Should Love a PCI Hater! standard

Ahh, the haters.  Everyone that deals with PCI on a regular basis knows one.  Sometimes they take the form of a guy that doesn’t want to actually do his job, or an armchair security gal, or your nemesis that uses his industry position to irresponsibly spread false propaganda, or true security experts that point out serious concerns or flaws with the standard.  As security professionals, we key stakeholders (including QSAs, ASVs, payment brands, and the framers of the standard itself) need to listen to the last group intently to ensure that we understand the risks as it pertains to the changing threat landscape, making adjustments where appropriate to protect the data entrusted to us. PCI haters are valuable people.  By ...

Continue Reading

PCI Community Meeting, Vegas! standard

I hope to see many of you next week at the PCI Community Meeting in Las Vegas!  VeriSign will have a booth and is a sponsor for the event.  If you are going, please do stop by our booth and attend our sponsored cocktail hour!  We’ll have some goodies and some exciting news for everyone that stops to chat! At this point, I’m not sure what kind of coverage I’ll be able to provide from the meeting, but more on that soon. Before you arrive for the sessions, I urge you to review the myriad of information available on the PCI Security Standards Council website, including the recently published SIG papers, and prepare your questions.  This is your chance to ...

Continue Reading

The Dangers of Hindsight standard

Bob Carr gets it. He had to suffer through one of the largest credit card breaches on record to get there, but he gets it. Digital Transactions Magazine published an article featuring Carr entitled Don’t Hire a QSA by Seeking the Lowest Bid, Warns Heartland’s Carr.  In it, Carr painfully recalls how his previous assessors did not provide him much value, and how the low-cost bid rarely ever the best bid.  If you read his article, he doesn’t specifically argue that costs should start escalating quickly, but rather he argues that companies should spend the time to get a QSA that does a thorough job, and is not motivated to get in the door, go as quick as possible, and ...

Continue Reading

Getting the Most from your QSA standard

Bill Brenner of CIO magazine published a feature article on Wednesday entitled “4 Ways to Get the Most From Your PCI QSAs” where he picks four main things to focus on when using the services of a QSA.  VeriSign published a whitepaper last year reviewing several items to consider when shopping for a QSA, all of which tied back to Brenner’s recommendations. Brenner asserts that the four ways to get more from your QSA are: Choose your vendor wisely. PCI compliance is probably an important project to your organization, so be sure you find a QSA that will make your project successful.  Don’t hastily throw a solution together, treat it like the strategic project it is (and then treat it ...

Continue Reading

Visa Makes Registration Easier! standard

Are you a service provider frustrated with the steps you have to go through to become listed on Visa’s global list of PCI DSS validated service providers?  The process of getting listed when you are not a member or a direct agent of a member seems clouded and painful, until now! Visa recently added a very detailed Third-Party Agent (TPA) section to the Risk Management section of their website that details exactly what needs to be done to be listed on the site.  If that were not enough, there is a fantastic FAQ in PDF form that you can take with you wherever you go. As part of this change, Visa eliminated all of the old classifications like Independent Sales ...

Continue Reading

Oracle cracks everyone up standard

Did anyone else giggle a little bit when they saw that Oracle delayed its quarterly patch release because it would coincide with the OpenWorld 2009 Oracle conference?  According to Oracle, they didn’t want administrators to have to choose between installing updates in a timely manner and attending the conference. That’s funny for me because I have NEVER met an Oracle DBA that was excited about pushing patches to their servers in a couple of days (the original release was slated for October 13, and the conference ends on the 15th).  In fact, between Oracle DBAs and z/OS Administrators, I don’t know who wins the prize for yelling the loudest about patching within thirty days. THIRTY days. Not two days.  THIRTY ...

Continue Reading

Blame MBAs for PCI Remediation Costs! standard

Do you ever wonder how we got into this situation?  Where merchants are facing tremendous fines for non-compliance, companies are being compromised by hackers here and overseas, and data security programs seem to be non-functional at best (if not non-existant)? I’ll tell you how… MBAs.  Yep, those pesky folks that learn the inner workings of how to take advantage of numbers to best increase their own personal compensation? Yes, another MBA dog-pile.  And I feel qualified to pick on my MBA brethren because I are one. All seriousness aside (did I do that right?), let’s think about how payment systems started inside retailers.  This is a classic example of the Build vs. Buy problem in every single MBA finance class.  ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!