Monthly ArchivesOctober 2009

Does PTS Apply to ATMs? standard

I’m writing (but not publishing…. Come on folks, it’s 2009…) this from 35,000 feet, somewhere over  the north Atlantic, east of Iceland.  What else am I going to do while sitting in a big, metal recycled air tube hurtling over the surface at speeds never meant for man?  Think and write about security, of course! I’m heading back state-side after a great PCI Europe community meeting.  I didn’t get the final count, but the meeting had just north of 200 attendees.  It seemed smaller than last year, but that could have been the seating arrangement.  One of my favorite sessions is always the PCI Standards Feedback and Q&A Sessions.  This year was no different! While the questions in the US ...

Continue Reading

The Madness of Sampling standard

The PCI DSS instructs assessors to sample certain parts of the population when validating compliance.  According to the PCI DSS, the sample “must be a representative selection of all of the types and locations of business facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls are implemented as expected.”  That often leads to the next two questions—the answers to which tend to vary among assessors: What do you mean by representative selection (or how many is representative)? What do you consider sufficiently large to gain assurance? In the audit world, internal auditors that review IT systems will look to statistically valid samples as a method to determine how ...

Continue Reading

The Problem with Logging standard

Kim Zetter from Wired Magazine put Wal-Mart back in the news recently with information about an alleged incident that occurred in the 2005-2006 timeframe.  One of the key issues making the rounds is the following assertion made by Zetter: The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis. Logs serve multiple purposes, and for that reason they tend to grow rapidly.  Sure, storage is cheap nowadays, but every company still struggles with this very basic concept.  While I won’t speak specifically to the Wal-Mart incident (Evan Schuman has some great additions), I will address some of what I see with my customers and their struggles with logging. Over-Logging This is more typical than ...

Continue Reading

MasterCard/Visa Remove Reciprocity standard

Thanks to a fellow reader for pointing this out!  It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions.  Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection). Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold.  Now it appears that this is the case as the official merchant level definitions reflect exactly this. Unfortunately, the road does not end there.  In fact, it starts forking like crazy. Now that ...

Continue Reading

The Lost Assessment standard

Like many fans of Dan Brown’s character Robert Langdon, I was one of the first to tear through The Lost Symbol last month.  Symbology in ancient and modern cultures is fascinating, and somehow while I was reading the book, I made a parallel between this final lost symbol (no spoilers here, you need to go read the book!) and the quest for security and compliance nirvana. In the book, Mal’akh is searching for what he believes is the final piece to a puzzle that will make him an all powerful, deity like creature.  His quest began while imprisoned in a Turkish prison (yes he HAS seen the inside of a Turkish prison, Clarence) with the son of a prominent 33rd ...

Continue Reading

Curious on Visa’s Deadlines? standard

Are you wondering which deadlines for PCI DSS have passed and which ones are upcoming?  Unfortunately, in most cases the deadlines you are looking for are in the past, with some exceptions.  That’s one of management’s challenges to PCI. Manager: “Tell me what the date is, and I’ll work toward the date.” You: “More than a year ago.” Manager: “I can’t manage to that. Go get an extension and tell me that date.” At this point, you pretty much should just make up a date.  Sure, an acquirer can give you a date, as can some payment brands, if you pick up the phone and call them. It does not ultimately mean anything if you are breached tomorrow. For those ...

Continue Reading

On Writing: The Funnel vs. the Brain Dump standard

Ben Tomhave posted a GREAT overview of what he calls The Writing Funnel—his method of organizing thoughts into publishable content.  If you have not already read his post, you should stop by the link above first.  A ten minute read and well worth it. Ben describes how a thought becomes content in his “Falcon’s *-line (star-line) Approach to Writing” as three unique steps: Offline, Tagline, and Outline. For the majority of my writing, I use both the Offline and Tagline concepts in almost the exact same way. The Offline concept for me works well in a couple of areas, such as working on a plane without Wi-Fi, or in a place where I cannot (or do not wish to) connect ...

Continue Reading

Visa Releases Data Field Encryption Guidance standard

Earlier this week Visa, Inc. released a best practice bulletin on data encryption that details five security goals ((paying homage to The Security Catalyst’s “3s and 5s” rule)), and thirteen best practices that companies can implement to meet them. The five goals as listed in the bulletin are: Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption. Use robust key management solutions consistent with international and/or regional standards. Use key-lengths and cryptographic algorithms consistent with international and/or regional standards. Protect devices used to perform cryptographic operations against physical/logical compromises. Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after ...

Continue Reading

The Social Media Ban standard

Attendees to the PCI Community Meeting in Vegas two weeks ago were treated to an interesting warning at the opening of the session. No social media or blogging during the meetings. I know that I picked up on it more than anyone else as I tweet and blog just a little. It didn’t take long for attendees to be warned about its use. During Bob’s opening remarks, he cautioned users not to tweet or live blog the events. The two-part irony behind the situation is that members of the press were welcomed into the meetings this year, and three of the five founding members of the council have embraced Twitter. Discover MasterCard (including four executives) American Express (albeit just a ...

Continue Reading

Herding Cats, October 2009 standard

Is now available!  This month?  “Using the Popular Press.”  Lots of SQUIRREL references for all you fans of Up, and of course, @Beaker. Check it out here! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!