Monthly ArchivesAugust 2011

Is Visa Taking the Training Wheels Off of Security? standard

Step into the way-back machine with me and let’s turn the dial to 2000. What a glorious time that was! We were at the peak of what would soon be known as the DotCom Bust((Although poor corporate accounting practices had a hand in this one as well.)). Information security was this fledgling group in most companies that was called to clean up virus outbreaks. Then we weathered the storm. Markets crashed, IT budgets were slashed to the bone, and security professionals suffered too. We fought hard for every single dollar that came our way, yet we still were playing catch up. Now let’s forward to December 15, 2004, when the first release of the PCI DSS made its way into ...

Continue Reading

Visa Kills PCI Assessments and Wants Your Processor to Support EMV standard

Visa made a few new changes public yesterday on their Key Program Dates for their Cardholder Information Security Program. It’s been a Visa heavy month as we watch them push EMV here in the US. Two other posts you should read: Chip and PIN on the Way Why Visa’s TIP Doesn’t Matter (to you) Now, what did Visa announce yesterday? It looks like the Technology Innovation Program (TIP) is coming to the US. But as you already know (because you read the second post above), this doesn’t matter to you. From this release: Effective 1 October 2012, Visa will expand the Technology Innovation Program (TIP) to the U.S. TIP will eliminate the requirement that eligible merchants annually validate their compliance ...

Continue Reading

PCI Council Revokes QSA Status (Finally?) standard

You readers know that I used to run one of the larger QSAs, and I took pride in the team we built, the work we did, and what our customers said about our experience. Yes, we actually had customers tell us that they LIKED their QSA. How rare is that today? Since getting out of that business, I have spent quite a bit of time helping my customers operate more securely, and in conjunction with that, comply with various standards like PCI DSS. The only time I’ve heard more colorful language describing someone is when my wife screams at the TV during football. BARELY more colorful. Earlier this month, the PCI SSC announced they were revoking the QSA and PA-QSA ...

Continue Reading

Why Visa’s TIP Doesn’t Matter standard

On Thursday, I posted about a memo released by Visa, Inc. last week discussing the acceleration of EMV adoption. There is much buzz going on right now as merchants now have a false sense of hope. PCI Assessments aren’t going anywhere any time soon. Why? One of the fundamental rules about PCI DSS is that you are dealing with five competing payment brands that handle their own enforcement. This means that as a merchant you can be a different level with a different payment brand, which may or may not affect how you validate compliance. A move by any one payment brand does not necessarily represent all five brands, nor does it guarantee that you will see the effects in ...

Continue Reading

Chip and PIN on the Way standard

Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way! While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants. If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points. Chip and PIN doesn’t work if the card in your wallet doesn’t use ...

Continue Reading

Will Service Suffer? standard

It’s weeks like this last one that I am glad I am not a market maker or securities broker. I doubt my ticker could survive the roller coaster ride of highs and lows over the last three years. But what happens with service as the economy falters? Let’s just say that this recent string of declines forces some businesses to continue to wring cost out of their business. That means that once again, the cost centers of business will be asked to do more with less. Cutting heads, moving employees to lower cost geographies, and removing investments for continuous improvement take their toll on the employees, which then trickles down to customers. Between appointments last night, I flipped on Undercover ...

Continue Reading

The End of Subscriber Privacy standard

I’m not sure if anyone actually believes in internet privacy anymore, but what little we may have had may now be completely eroded thanks to a new bill in the US House of Representatives, Protecting Children From Internet Pornographers Act of 2011 (H.R.1981). If the bill in its current state becomes law, internet service providers must maintain the following subscriber data for a period of 18 months: Names Address(es) Temporarily-assigned IP addresses While this measure does not aim to maintain detailed activity logs of subscribers, it is designed to be a point of reference for companies to trace actions to individuals. For example, if a temporary IP address of a home internet subscriber is found to be used in an ...

Continue Reading

July 2011 Roundup standard

What was popular in July? It was an Apple friendly month with more iCloud discussions, Lion, replacing my iPhone, and polls about a stricter PCI DSS. We also saw some mobile payment applications make their way back onto the PA-DSS approved application list, and a flurry of discussion around social media, mostly centered on Google+. Here are the five most popular posts from last month: Security Tips for Non Techies. What is it that you do again? The truly brilliant among us can take our complex jobs and describe them to non-techies in words they understand. But how do you explain the WHY and HOW in simple terms? Don’t fret, DHS did it for you. Learn more here! Audience Participation: ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!