Monthly ArchivesJuly 2011

Complacent or Lucky (both kinds)? standard

Twitter cracks me up some times. I was tagged in a tweet that pointed out I was among more than one individual representing a breached company on the PCI Advisory Board. My response? Look out that window. I submit to you that the companies with the best security programs might be those that have suffered a breach in the last twelve to twenty-four months. The program was weak enough to allow the breach to occur at the time, but the severity and specifics of the breach highlights corrective actions for management to address. From the breaches I have been involved in, management tends to knee-jerk pretty hard and improve their game. Even without a breach, only a tiny percentage of ...

Continue Reading

Herding Cats July, Breaches Can’t Happen to Us standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Breaches Can’t Happen to Us. This one was fun for me as it follows a common theme you can expect from Ol’ Brando, the business end of security. Most security professionals have not had any sort of business training, or with some I have met, really give a flying futon about business. Before you go ask for more money in your budget, you should read this article. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up ...

Continue Reading

Using Transaction ID for Payments standard

Where is it in your strategy? Each payment brand calls it something slightly different but they all have something like this now. Every transaction pushed through their network can now be identified with a unique transaction ID. With PCI DSS continuing to be a significant burden for merchants to handle, I can’t think of a better time to consider alternative methods for handling cardholder data after authorization. Merchants have many options when it comes to PAN replacement options. When it comes to tokens, there are typically two different options you might choose—either per-transaction tokens or per-card tokens. Merchants that want to perform analytics on purchasing behavior using just the payment card itself as a way to track purchases should go ...

Continue Reading

Security Tips for Non-Techies standard

One of the most challenging things that I regularly do is explain my job and career choice to non-techie users. Ask my Mom what I do, and you might get one of the blankest stares you have ever seen thrown right back in your face. In fact, I think this general lack of security knowledge among users contributes tremendously to the success of attacks against consumers. How else do we have millions of drones waiting for commands on unsuspecting users machines? I’ve heard the following from family members before: But I bought an anti-virus program three years ago! Why do I have to pay for it every year? But I had to disable the security settings so I could play ...

Continue Reading

The Perfect World standard

I was recently asked in a meeting of the minds to describe my view of the perfect world as it related to PCI DSS. For those of you who read my work often, you may notice a few themes that I continue to write about. I believe that security is a business problem and security professionals have historically done a poor job of quantifying information security risk in a manner that makes sense to a business person. In my perfect world, companies would understand the value of the information they use to drive their business, and they would protect or transfer risk accordingly. Sounds simple on the surface, but if you have been in business in the last five years ...

Continue Reading

June 2011 Roundup standard

What was popular in June? It was iCloud, PCI Council fun with mobile payments and the updated prioritized approach document, and an older post that surfaced in the top five again this month around the quality of QSAs. Here are the five most popular posts from last month: iCloud Security Questions. WWDC unveiled some pretty cool new things from the overlords at Apple, but one of the most interesting to me was the unveiling of the iCloud service. Check my thoughts on some of the security concerns that must be addressed before you consider wide adoption. Updated Prioritized Approach. You cannot cookie-cutter PCI DSS, but if you see it as a crazy daunting task and are at a loss when ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!