Yearly Archives2009

Visa Sets Payment Application Security Mandates standard

As many of us in the industry had suspected, Visa has delayed its payment application security mandates two years to 2010 (newly boarded merchants) and 2012 (all merchants).  The information was officially released on June 24, but I certainly did not see any public reference to it until recently.  This is rumored to be largely in response to a low supply and high demand issue in the fuel industry. So those of you that were dealing with unrealistic deadlines, you’ve got a reprieve!  Keep pushing though, don’t be one of those guys limping in at the eleventh hour! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why ...

Continue Reading

Featured on the SecureLexicon Podcast standard

Steven Fox, blogger for CSO Online and fellow columnist in the ISSA Journal, interviewed me for his Art of War Podcast where I discuss the parallels between Sun Tzu’s teachings and PCI Compliance.  Of the podcasts I’ve done, this one was particularly fun for me because I had to grab my Art of War book off the shelf and study up for it! Sun Tzu’s teachings apply to PCI and Information Security (it is a war, people) when you read his book in the light of an information security perspective.  Go check out Steven’s column in the Journal, his excellent podcast, and Sun Tzu’s Art of War! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses ...

Continue Reading

How PCI Can Ruin You standard

No, this is not one of those posts poo-pooing PCI because it is the popular thing to do. But after my marathon writing sessions working on the book, I started to think about all the customers that I had visited over the years, and all the problems I have seen, and how even today the problems that come up are essentially caused by common root issues. BTW, I’m hoping you guys all LOVE the case studies. Some of you readers might even be business owners or playing a part in them!  That was, by far, my favorite part of writing the book.  Maybe I’ll try some bad fiction writing next? (FAIL) Anyway, one of the things that the information security ...

Continue Reading

The Simplicity of PCI, and the best way to complicate it! standard

OK folks, bring on the love.  Ready?  I’m going to stick my neck way out there. PCI is easy. *GASP* OK, taking a company that ignored security (or only focused on one particular element of a good security program) to compliance is hard, painful, and will result in lots of kicking and screaming and other tantrum like actions.  Why?  See this post. But take PCI DSS on the surface.  It’s prescriptive (potentially overly so in some cases), it is based on a good, common set of security practices that, quite frankly, you should already be doing, and its impact to your organization can be limited dramatically depending on how you approach it.  If you look at the high level twelve ...

Continue Reading

MasterCard Fines Start NOW standard

On Monday, I told you all about a MasterCard fine schedule but I was unsure on when it was going to start.  Well, as it turns out Level 2 and 3 merchants are being fined NOW, not sometime after the December 2010 date. That’s right, some Level 2 merchants have already received their first $25K fine from MasterCard under their new fine program. Apparently, that’s how many of the acquirer’s found out about the program! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

Fun Times with Encryption standard

Time for a throwback!  This year, I posted my new article “The Art of the Compensating Control” over a three week period back in April.  A reader recently contacted me about a claim I make in Part 4 of the posting.  He says: In your April 2009 blog The Art of the Compensating Control (Part 4) Tax day special, you stated that using the random function in COBOL to generate your key was in a sense, “a really bad idea”.  I have no knowledge of encryption so I don’t see the fault with the process.  How would this be equivalent to only 53 bits of encryption? Excellent question!  The basis of this post relies on a tool by Mandylion Labs ...

Continue Reading

MasterCard to Fine Merchants for Non Compliance standard

OK, SOMEONE out there has some explaining to do. Like, right now.  Who poked MasterCard hard enough to wake them from hibernation? When it comes to actions against merchants, MasterCard has typically been much quieter than Visa.   We’ve had several customers come to us with new fines from MasterCard that will begin sometime in the next 18-21 months beginning NOW. Why the ambiguity?  None of our customers seem to have a date when the fines start!  This is a huge assumption here, but I will suggest that the fines would start after the 2010 deadlines for Level 1 & 2 merchants. Revisiting those deadlines, Level 1 & 2 merchants must produce a Report on Compliance from a QSA by December ...

Continue Reading

The Breach You Didn’t Expect standard

Portions of this post originally appeared in the March 2009 Issue of the ISSA Journal. We just got our first severe weather scare of the year in Texas. A tornado was reported less than five miles from my house by spotters on February 11th. Some of my customers have facilities in Tornado Alley and have heavily fortified their data centers to take a direct hit by a tornado. Usually, the secondary data center is also in Tornado Alley. Why would you put two data centers in harms way? When you run the probability calculations, the likelihood of both being destroyed is about the same as an intersection in Montana having a Starbucks on every corner ((OK, I’m going out on ...

Continue Reading

Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’? standard

The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice. With the current “non-stimulating” economy, there is a lot of talk about the “stimulus” bill which is impacting all areas of the US economy. One such impact is the reason for today’s blog post. A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other ...

Continue Reading

Why PCI DSS is a good thing for YOU! standard

You know, it’s kinda funny.  Everywhere I go, I see how polarizing PCI DSS is.  If you deal with PCI often, think about your interactions with others when discussing PCI.  This is a response you have probably never heard: “Well, that PCI thing is OH-KAY.  I’m not really thrilled one way or the other…” More likely it was something like “That F&*@ing PCI DSS!  I hate it!” or “God bless those PCI DSS Overlords for giving me a stick to whip my company into shape!”  I tend to hear the former much more than the latter, but that demonstrates the wide difference in corporate cultures faced with PCI DSS. Those of you screaming and complaining about PCI should stop for ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!