Monthly ArchivesAugust 2010

PCI DSS versus Y2K standard

It’s been an interesting week in the PCI DSS world. I was a contributor to a Webcast from First Data on scope reduction using Tokenization.  We had the webcasts from the Council about the changes in PCI DSS coming on October 28, and I seem to have gotten a flood of emails reminding me about the community meetings in Orlando and Barcelona. From a global perspective, PCI DSS is slowly making strides in several locales, to the point where I often adjust my daily schedule to help customers in the pacific rim, middle east, Asia, and Europe. Australian and New Zealand based companies seem to be taking particular interest in PCI DSS, equivalent to the levels we saw in early ...

Continue Reading

Hey Friends, I’m Over Here! standard

I recently gave a presentation to a graduate advertising class about social media with ideas on how it might be used as a part of an overall marketing and advertising strategy1. One of the things I covered was the concept of geo-tagging and how it relates to social media. There are tremendous privacy concerns related to geo-tagging, but also interesting market opportunities as well. We ignored the unintended geo-tagging that occurs when people use location services in their mobile phones, or use cameras that are location aware and focused on check-in applications.  Some examples of these applications are the popular FourSquare and Gowalla2. Well, it seems Facebook has now joined the fun, and added Places. Included in the launch was ...

Continue Reading

Where’s the Breach? standard

All we need to top off this post is a little old lady screaming “Where’s the Breach?” God bless 80’s marketing. A merchant out of Austin, Texas is claiming that a breach in their network came from Heartland Payment Systems (HPS), thus it must be their fault. While I am sure this is not the first merchant to be caught off guard, he’s certainly a creative one. Our culture in America seems to relish deflecting blame from oneself on to others. Why, it couldn’t be me, it must be that guy over there. What’s interesting about this particular case is that the quotes in the article are being interpreted in a manner that is inconsistent with these kinds of breaches ...

Continue Reading

The Council is Such a Tease with PCI DSS 2.0 standard

They totally are!  Giving us this little tiny preview of upcoming changes without really getting too specific.  It’s like me saying, “Dude, that chick is HOT!” Then when you ask me to describe her I say, “It’s a lady all right!” OK, back to the real reason you are reading this, the changes to PCI DSS and PA-DSS slated to drop on October 28 are outlined here. The majority of the document reviews the new lifecycle, how and why changes are made, and the three general types of changes outlined: clarifications, additional guidance (which is just a fancy way to say clarification), and a requirement that is evolving based on new threats or a change in the market. This release represents ...

Continue Reading

Herding Cats August: Embrace the ISA Program standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Embrace the ISA Program. Some industry folks fear the empowerment that the Internal Security Assessor program from the Council brings to the table.  I, for one, see it as an opportunity to more accurately assess PCI compliance. Oh, and the Hoffacino makes a cameo 🙂 If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Continue Reading

Why your QSA should not be your Security Partner standard

This one is link-laden folks.  Enjoy 🙂 It’s just mere weeks before we’ll see the FOURTH iteration of the PCI DSS, and companies inside the US seem to be getting better at it as we go. PCI continues to be a driving force in information security, and as the standard changes, your business environment will undoubtedly change as well. Many merchants and service providers mistakenly depend on their QSAs to find all security and PCI compliance issues. Considering the downward market pressure on assessment prices, many security professionals are discussing how QSAs are pressured to get a complete and compliant ROC in the cheapest way possible.  QSA companies are motivated by three main things: Scope and price the deal in ...

Continue Reading

July 2010 Roundup standard

What was popular in July? We wrapped the month with some fantastic presentations at Blackhat, Defcon, and BSides. I am enamored with the fun stuff browsers can do (and not so fun things to the people that ineptly run them), and approaching application security with a renewed vigor. Here are the five most popular posts from last month: PCI Security Standards go to Three Year Lifecycle. More than twice as popular as its nearest challenger, this post details some of the pros and cons to the new three year lifecycle that all of the standards will adopt starting with the pending release. Tokenization and Chargebacks. The NRF making is more waves, and Visa released new guidelines. Check out this post ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!