Monthly ArchivesJune 2011

Audience Participation: Who wants stricter PCI DSS requirements? standard

WAY before I started serving my term on the PCI Board of Advisors, someone privy to the conversations once told me that the early discussions had people grouped into two distinct camps: Make PCI DSS more prescriptive and remove gray area! Remove some of the prescriptive nature of PCI DSS to allow people flexibility in meeting the standard! While I’m not at liberty to disclose conversations that happened two weeks ago, I’m wondering what the folks in the field think about a topic similar to this: should PCI DSS evolve to a stricter standard or more of a framework? After announcing our election to the board, I have had SEVERAL folks from varied industries and backgrounds give me words of ...

Continue Reading

A Brief Word about PCI DSS and Mobility standard

Big news Friday as the PCI Security Standards Council released several documents reversing their temporary ban on SOME mobile payment applications for the PA-DSS list. Essentially, purpose built devices are allowed, others are not. Remember, as long as the device complies with PCI DSS in production, you do not necessarily need a PA-DSS certification to deploy it. It certainly helps the discussions with your QSA or Acquirer, but it is not a requirement. In fact, not all devices CAN comply with PCI DSS, so that should be your first step. Go back to my guide on how to make a mobile device comply with PCI DSS for more information on key areas you need to investigate. If you can install ...

Continue Reading

Telephone-based Payment Security standard

Back in March the Council released an information supplement on the PCI SSC website entitled Protecting Telephone-Based Payment Card Data. Wait… MARCH you say? Brando, seriously, work on the timeliness of information. Yeah, yeah… I hear ya. I tend to post about things that I see in my daily experiences, and frankly, I thought we had the telephone-based payment problems solved based on the Council’s official FAQ 5362 on the topic. While the answer seems pretty complete to me, the PDF above also includes several other elements that may be useful to companies dealing with telephone-based payment issues. On Page 6 you will find a flowchart designed to help companies break down complex environments into a series of Yes/No questions. ...

Continue Reading

PCI Board of Advisors, and Truncation Best Practices standard

Last week was the first PCI Board of Advisors meeting for the recently elected board set to serve through June 2013. While it was a very productive session, I will not be able to blog about much of the meeting. It’s that way by design (rightfully so). At some point, I’ll have a few additional guidelines to work within, but ultimately I signed an NDA as did my company, and I plan on honoring the terms of that NDA regardless of my thoughts about it. Just to clarify, I plan to honor the terms in the NDA that I signed, or live by the consequences if I don’t. But that’s not what this post is about. I’ve been an advocate ...

Continue Reading

iCloud Security Questions standard

I admit it, I’m a fanboy. So on Monday, I was doing what I could to keep up with the WWDC Keynote. Unfortunately, that meant reading a live-blog between phone calls, but it got enough of the job done. I’m looking forward to many of the new features in Lion and iOS 5. One announcement that caught my attention was the new iCloud replacement/enhancement for MobileMe. From the website: iCloud stores your music, photos, apps, calendars, documents, and more. And wirelessly pushes them to all your devices — automatically. It’s the easiest way to manage your content. Because now you don’t have to. Preposition ending sentences aside, this is some pretty cool stuff. I’m already familiar with MobileMe as an ...

Continue Reading

Herding Cats April, May, and June! standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, This Ain’t Yo’ Daddy’s Malware! I’ve also posted in Herding Cats section of the site, the April and May editions of the column. My sincere apologies for not putting those up here earlier, but those of you who are members of ISSA got to see them as they were published. Are you not a member? Well why not?! If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Continue Reading

Updated Prioritized Approach standard

The PCI Security Standards Council released an updated Prioritized Approach document for PCI DSS 2.0 on Tuesday with associated tools and change documentation. I posted about the version of this document made to address PCI DSS 1.2 in 2009, and many of my comments still carry forward with this version. But let me take a moment to refresh the content as more than two years have passed since the original post. First off, it’s 2011. PCI has been enforced in the US with fines since 2007, and now globally in the last year1. This isn’t our first rodeo, as it were. So what kinds of companies would be interested in using this document? Companies doing M&A activity might be very ...

Continue Reading

May 2011 Roundup standard

What was popular in May? Poking fun at QSAs still showed up, and I’m working on some new ideas on the behaviors of QSAs for May. Hope to see you at EMC World! Here are the five most popular posts from last month: PCI DSS for the Small Office. Inspired by a reader (just email me your questions), I discuss how a small office should tackle PCI DSS. New PCI Board of Advisors Elected. Yep, looks like I get to contribute a bit! I’m now on the Board of Advisors representing RSA. Visa’s Chargeback Management Guidelines. Wondering how to deal with chargebacks? Check this document out for specific details on what you need to defend yourself (and more importantly, what ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!