Monthly ArchivesSeptember 2014

Shellshock and the Cyber Safety Program standard

I recently had a conversation with Josh Corman of IAmTheCavalry where he shared with me his open letter to the automotive industry. Entitled, the Five Star Automotive Safety Program, it outlines five specific areas that affect information security, and thus will affect the safety of humans that rely on those systems. The five areas are: Safety by Design Third-Party Collaboration Evidence Capture Security Updates Segmentation & Isolation When Josh and I first chatted, I was wary of number 4. Not the fact that security updates are needed, but that there must be a mechanism by which updates can be automatically deployed (not by taking a car to the repair shop). Could someone create a cyber-zombie army by taking over an ...

Continue Reading

SSL Issues with this Blog? standard

Due to Google’s policy change that all certificates must be signed with a minimum of SHA256, I recently replaced the cert on this site. Some of you have let me know that SSL errors were popping up. One was due to a missed “https” on the MailChimp signup form, the other was due to Symantec (VeriSign)’s new root cert that is also signed using SHA256. If you are currently using a certificate on your SSL site that is signed using the SHA-1 algorithm, you should consider replacing that cert soon. Chrome will soon be configured to warn users going to those sites about the weak signature. Enterprise customers, this is going to be as painful as Heartbleed if you had ...

Continue Reading

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Continue Reading

Side Channel Attacks for PINs standard

I found this Lifehacker post this week and I am totally loving the demonstration he gives in his video. Anyone who has watched a crime drama knows that people are filthy beings that leave traces of themselves wherever they go. It could be DNA from skin cells or hair, prints from our shoes, or a heat signature from touching something. In the video, Mark Rober shows you how an iPhone attachment can pick up the PIN code you just entered into a terminal to pay for goods and services. He even gives you some ideas on how to avoid getting hit. For those of us that saw Bob Arno at the Community meeting last week and saw the coordinated shoulder ...

Continue Reading

The Impact of PCI DSS is Up To You standard

After reflecting on the PCI Community Meeting last week, it seems that there is a groundswell building. We’re getting ready to release our updated PCI DSS book on October 24 (pre-order here), and in it (as well as in talks I’ve given since the release) we speculate that the changes in 3.0 are mostly minor and give the merchant more flexibility. While I still stand by this, it seems that the perception in the community does not align with this. I had many conversations last week from disillusioned merchants who are struggling to come up with solid plans for updating their programs. We got detailed in the book on how to address some of these issues, including new chapters on ...

Continue Reading

Does Apple Pay Signal the Beginning of the End of PCI? standard

Whether you are a fanboy or not, you have probably seen some news about Apple’s new Apple Pay feature in the iPhone 6. It appears that the sleeping giant of digital wallets is stirring from his slumber. Could this spell the end of PCI DSS for the majority of companies affected by the standard? The last few decades have seen a number of companies attempting to disrupt or revolutionize payments, but like the payment card brands themselves, they battled acceptance. Apple’s new iPhone 6 finally has Near Field Communication (NFC) built into the device, which means it can now interact with contact-less payment card readers. The dream of leaving your house with only your phone is not quite a reality ...

Continue Reading

PCI Community Meeting, 2014 standard

No snarky comments here ((Although, those were some fun times, use the search feature to learn more…)), and it’s time for the first of three community meetings starting tomorrow. These meetings have been going on every year since 2007 in Toronto, one year after the Council was formally announced. Even though my career has moved away from the life of a QSA, I have made every one here in the US, and several in Europe, some times as a QSA/ASV, other times as a Board of Advisor member, and finally as a sponsor. Last year, I wrote that 2013 was a pivotal year for PCI DSS. We got a new version of PCI DSS that has been controversial at best. ...

Continue Reading

Will this Band-Aid help? standard

You know when you get a paper cut in the webbing of your fingers? How many of you just shuddered at the thought of such a minor, but memorable malady? Now, think about one of the times that you got in there really deep and had to find a band-aid. Those normal ones just don’t work! You need a special band-aid with the butterfly flaps on it. Then you can get on with your day without spreading more of your DNA on everything you touch. With all these POS breaches (like Home Depot this week), we need to address a paper cut. The paper cut here is the POS system. We can describe them as two machines with different life ...

Continue Reading

August 2014 Roundup standard

We wrapped up the survival tips for young (and sometimes experienced) professionals series and got back to information security! While you are all still very interested in getting great customer service, my posts on the effectiveness of PCI DSS also made the rounds this time around. I hope this sets us up for a great discussion in a couple of weeks at the PCI Community Meeting in Orlando! Here’s what you folks liked the most last month: The Only Customer Service Script You Will Ever Need. The economy is humming along quite nicely. How do we know? Because people are getting poor customer service and reading posts like this one. Is customer service is less important now that customers are ...

Continue Reading

Guest Post: PCI Compliance Fees, Fines, and Penalties – What Happens After a Breach standard

The following is a guest post by Mark Burnette. You can reach him directly here. The PCI Data Security Standards are a set of rules designed by the credit card brands to enforce card data security. Though these are industry rules rather than laws, they can result in stiff fines and penalties for businesses, and even cost a business the ability to process credit cards. What’s more, these rules impact every business that collects, processes, or transmits card data – from mom and pop shops to retail titans. So what exactly happens to a business when it’s caught out of compliance? Fines and penalties Let’s say your business has suffered a data breach. First, the card brands will go to ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!