Monthly ArchivesOctober 2010

Scoping Fun with PCI DSS 2.0 standard

OK, so as you can see from the comments, my post yesterday generated a bit of controversy. I must apologize for the 1.3.3 miss as I did my initial research after a long night of, um, networking at the PCI Community Meeting in Orlando. That post was put together with haste over the last three days, while trying to review and decipher some passionately scrawled chicken scratch. I went back and responded to the comments (no editing, it’s all there), and wanted to talk about another significant change I didn’t discuss yesterday. Page 10 of PCI DSS 2.0 adds quite a bit of text into the Scoping guidance that QSAs and assessees use to determine the correct scope for their ...

Continue Reading

PCI DSS 2.0 Release and Review standard

Yep, it’s out. Well, at the time I am writing this it is not out, but by the time you read this it will be! You can go download the standard and the summary of changes at the Council’s new site. I’m not going to go over EVERY change, but will highlight some of the more significant ones that will impact how companies approach PCI DSS. Here are some highlights that I think are interesting. Explanation of how and where PA-DSS applies is a key clarification that was well known in the industry but was not documented in the standard like this.  Very helpful. VIRTUALIZATION is FINALLY included throughout the standard. From page 10 in the scoping guidance through to ...

Continue Reading

American Express Updates Merchant Reporting Requirements standard

This week is a big one for those of us involved in PCI DSS, and all that implies. Check back on Thursday for a review of the changes in PCI DSS v2.0. I’ve completed an initial review using the embargoed version, but will double check my work based on what actually comes out on the 28th. In the meantime, American Express quietly pushed a new change to their Merchant Reporting requirements over the weekend. What was previously a requirement for the EU only is now a global requirement regardless of location. Level 2 American Express merchants (as defined by processing between 50,000 and 2.5 million transactions per year) must now submit an annual SAQ and quarterly network scans performed by ...

Continue Reading

RSA Europe Recap and the Spread of Regulatory Compliance standard

Why have I been radio silent this week? It’s certainly not because I have a lack of things to say. Even my own team mates are surprised when I tell the recent stories of being out talked. Couple of things are going on that you might be interested in. For one, I am doing a project for the next three weeks for the North Texas Chevy Dealers. In exchange for writing about and videoing my experiences, I have been given a 2011 Chevy Silverado Extended Cab, Texas Edition truck to drive. Follow my adventures over here to see me kick the tires! Outside of driving trucks and blogging about that, I spent the week in London for RSA Europe. The ...

Continue Reading

Is Tokenization Safe? standard

In our industry, topics turn hot and cold in record time.  The hot topic this week seems to focus on the safety of using Tokenization as a solution for reducing compliance and security requirements. I found this blog post on StoreFront BackTalk by Walt Conway that poses the question, “What happens to my data if my token vendor goes bankrupt?” Earlier in the week, as part of my ISSA Editorial Advisory Board duties, I reviewed an article that posed some of the very same questions. Outsourcing the handling of payment data is a critical decision for merchants to consider, and it should not be taken lightly. Just like any other major decision any company makes, merchants should perform a risk ...

Continue Reading

Herding Cats October, Seeing Through the Fog standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Seeing Through the Fog. Cloud Computing and associated utility computing topics make lawyers and insurance underwriters uneasy. Like for real. But it’s all about a little bit of education on the topic. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Continue Reading

Cloud Ain’t So Scary! standard

After the end of quarter madness calmed down on Friday afternoon, I had a few minutes to reflect on an interesting panel discussion I sat on (to which I was almost late). I was speaking with a group of underwriting and legal professionals about cloud computing and the security and compliance problems it presents. The fear in the room was nearly tangible. As with most issues relating to information security, it all comes back to the data. Cloud services are perfect for some applications, and downright frightening for others. It’s not to say that certain cloud types are inherently more insecure (although in some cases they are), but it’s more about the structure of the cloud services as it relates ...

Continue Reading

September 2010 Roundup standard

What was popular in September? We had the PCI 2010 Community Meeting in Orlando, embargoed documents from the Council, some posts that poked a little fun, and a cloudy experience with Desktop as a Service! On that last one, apologies for the incorrect link to the VMWare release. At least you guys know what I was wondering about when I worked on that edited post. Yes, I was concerned about that fungus.  It’s benign tho, so don’t worry. Here are the five most popular posts from last month: Review of the 2010 ____ ____ Meeting. Sometimes the most popular posts only have a few days to percolate.  That would be the case with my initial review of the PCI Community ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!