Monthly ArchivesApril 2011

Does Security Impede Innovation? standard

Depends on who you ask, I suppose. In my experience as a security professional I have seen some security organizations in big companies that were so well oiled that patches could be rolled out in a few days after release without any impact to the larger organization. I’ve also seen some that were virtually non-existent—victims of poor leadership or political agendas. Most programs I see fall somewhere in the middle of that continuum, but for the most part are not as functional as they could (should) be. Therefore, in those companies, information security is seen as an impediment to innovation and creative people find ways around them. Imagine for a minute that you were a data center manager looking to ...

Continue Reading

How to Make a Mobile Payment App Comply with PCI DSS standard

The PCI Security Standards Council recently made news when they announced that they would no longer be accepting mobile payment applications for PA-DSS compliance consideration. This means that vendors looking to certify new mobile applications or devices are now left in the lurch. But we have to dissect this rather knee-jerk reaction (see, there I go again) by the Council to understand exactly their intent. What they said was: “No mobile payment applications used by merchants to accept or process payment for goods and services would be approved or listed as validated PA-DSS applications unless all requirements can be satisfied as stated… Until it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape, the ...

Continue Reading

How Deep is Deep Enough? standard

After my last post on the Lack of Understanding in QSAs, Brad emailed me and asked how much a QSA or ISA should look behind the curtain for someone like an Iron Mountain (analogy used in the post). I feel like a bad consultant/blogger because I only pointed out a problem, but didn’t point out a solution. It’s OK though, I’m over it now. How deep is deep enough? Here is a basic guideline: Is the service provider currently on the PCI DSS Global Registry of Service Providers, and is their listing current? If so, I think most QSAs would look at how the data is handled prior to the handoff, make sure that the handoff and contracts are compliant ...

Continue Reading

Neutral vs. Agnostic standard

I am not a grammar expert. Did you see that? If you didn’t start this post over because that first line is important. I do write often and I have a particular style that I like to follow, but most importantly, I am a student of the English language and not an expert. THAT SAID… There are certain things that people do that really grind my gears. I think it has to do with being granted access to a thesaurus too early in life, or lazy students aiming for a minimum page count. Regardless, the result is the usage of certain words to sound smart even though their usage makes you sound dumb. Today I want to cover a word ...

Continue Reading

March 2011 Roundup standard

What was popular in March? This month was rather light as my travel schedule was a bit hectic. But I’m working on some great stuff for you this month! Here are the five most popular posts from last month: The Lack of Understanding in QSAs. The statistics are getting interesting. Some reports suggest that HALF of the QSAs trained in 2010 were new QSAs. I’m all about fresh blood, but at some point you might need some experienced folks, right? RIGHT? Bueller? I Don’t Need to Know, I Can Look it Up. Sure, storage is cheap nowadays, but why do we insist on keeping every single piece of data that our business comes across on any given day? Is that ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!