Monthly ArchivesSeptember 2011

A Conversation with Visa standard

Wednesday was a busy day for me at the Community meeting. In between sessions, I spent thirty minutes with Eduardo Perez, head of global payment system security, Tia Ilori, business leader, U.S. payment system risk, and Ingrid Beierly, business leader, fraud control & investigations from Visa. Visa is the largest payment brand and creator of the Cardholder Information Security Program whose content drove the majority of what we see in the PCI DSS today. We started by discussing the fraud rates and how PCI DSS is helping to keep fraud under control. According to Perez, fraud rates are very low and fairly stable—around 5%. So PCI has to be doing SOME good if fraud rates are not spiraling out of ...

Continue Reading

A Conversation with Bob, Troy, and Jeremy standard

If you caught me this year at the PCI Community Meeting you may have noticed something strange attached to my badge—a green “Press” ribbon. While it was strange to wear it and I don’t consider myself a member of the press, I’m thankful for what it ended up getting me. I had some great 1:1, on the record discussions with key stakeholders which I plan on bringing to you here in the blogorino. The first one I want to review is a conversation I had with the public leaders of the PCI SSC, Bob Russo (GM), Troy Leach (CTO), and Jeremy King (EU GM). The first thing I asked about was the new Special Interest Group (SIG) process that Jeremy ...

Continue Reading

PCI Community Meeting Reviews from the Field standard

While I was at the community meeting, I chatted with several individuals that had feedback on the conference, and here are a few nuggets distilled from over an hour of audio recordings: Council is getting better at understanding how reports are generated, but there still seems to be an inability to tie any given report back to the environment assessed. For example, was it scoped correctly? Were the controls assessed per the intent of the standard? Was the appropriate risk-based approach taken? CBT Requalification is convenient, but lacks the flowing Q/A that you might see in an interactive training course. May consider trading an in-person training (or interactive training) every so often as opposed to all CBT. Large variance among ...

Continue Reading

PCI Community Meeting 2011, That’s a Wrap standard

What was day 2 like at the community meeting? Lots more tweeting, lots more networking, and lots more info! First off, HUGE thanks to Gene Kim for being the most prolific twit, by far. Those present and not thank you! We started with the Verizon Data Breach Investigation Report review from Chris Novak. While the report is not new, Chris’s anecdotes that went along with the report solidified key findings for the group. Next the conference offered options. I opted for the PCI in Practice track with fellow board members Peter Cooper, Philip Morton, and Patrick Phalen. Each presented stories and strategies they used to bring their global organizations in compliance with PCI DSS. I enjoyed the session, and I ...

Continue Reading

PCI Community Meeting, Day 1 Observations standard

The first day of the event has been packed full of activities! First off, it’s been great to see everyone. Say what you want, but there are some very smart people in this industry and I really enjoy the conversation (even if it is over one of those silly Compliance on the ROC drinks). We opened the session with Bob doing that thing that he does, including a heartfelt thanks for the outpouring of support he had after missing the meeting last year. Then we saw Eduardo Perez jump up and do a quick update. My favorite quote from him is “Security has to evolve as new technologies emerge.” New technologies change the attack surface, and it seems like most ...

Continue Reading

Big Data and the Cloud Roadblock standard

EMC conducted a survey of U.S. Federal Government IT Security stakeholders recently, and one of the results that struck me was one around cloud adoption. We usually hear about security being an impediment to the wide-scale adoption of cloud and virtualization technologies, but our survey revealed another interesting barrier. Big data. I recently heard a colleague describe the security industry as being in a similar situation that the retail sector was many years ago. All of the sudden, marketers in retail demanded data. They needed to know everything they possibly could about their customers, and relentlessly bought, traded, and sold data to fill in their customer profile gaps. This larger set of data was then sliced hundreds of different ways ...

Continue Reading

Apparently You DO Need Assurance standard

I was going through some tweets last week and came across a tweet by @rybolov touting the most interesting blog post he will read all month about code scanning and regulatory capture. It’s from Mary Ann Davidson, the CSO of Oracle and entitled, “Those Who Can’t Do, Audit.” While I’m not an auditor (and never have been), I’ve performed many-an-assessment in my career so I thought I’d take a look at the re-purposed cliché titled post. The first thing you will notice is that the post really isn’t about auditors, it’s about static code analysis. If I can distill the meat of the post down (and cull the 2/3s that compose fat/rant), her point is that certain groups have created ...

Continue Reading

Herding Cats: Trust in the System (September 2011) standard

It’s September, and you know what that means! It’s time for another edition of Herding Cats! Last month’s, entitled “Walk that Walk,” is available here, and this month’s edition is titled Trust in the System. For regular readers, you might wonder why I am not talking about ISSA Connect and reading it over there. This month there was so much good stuff in the ISSA Journal, that my column didn’t make the cut. But I spent time writing it, and I’m not breaking my streak! DO take the time to go check out the articles on ISSA Connect this month, though, as there are quite a few great ones to comment about. Also, if you are not a member, join ...

Continue Reading

August 2011 Roundup standard

What was popular in August? I had some fun with Visa’s TIP program, and in fact, just made a final post on the topic (for now) yesterday. Merchants in the middle of technology upgrades have some decisions to make on what they deploy and how they choose to process payments. We also saw our first (that I have a record of) public revocation of a QSA’s status. Here are the five most popular posts from last month: PCI Coucil Revokes QSA Status (Finally?) It had to happen SOME time. With QSA popularity at an all time low, it looks like the Council finally took action against a QSA. See the details here, including some instructions on what to do if ...

Continue Reading

Last Word on the Visa TIP standard

The Visa Technology Innovation Program (TIP) is certainly stirring up all kinds of discussions in the technology community. I had an opportunity to get some clarification on exactly what these new changes from Visa mean for you, and wanted to summarize them here. Unlike the Compliance Acceleration Program (CAP) which used fines and interchange fees to motivate merchants, there is no true financial incentive to participate in the TIP… today. The closest resemblance to a financial incentive is the domestic and cross-border counterfeit liability shift. Merchants that cannot accept an EMV or contactless card when presented one by a customer will bear the liability of a fraudulent transaction instead of the issuer after October 1, 2015. The TIP mandates that ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!