Monthly ArchivesOctober 2014

Guest Post: Digital Fingerprinting—Do You Know Who You’re Doing Business With? standard

The following is a guest post by Frank Stornello of Verifi. Online fraudsters benefit from the anonymity of a virtual medium. They can invent and reinvent who they are on any given day. And they do. They can change email addresses or IP addresses in just a few clicks. But it’s a little more expensive and time consuming to change the hardware that they’re using to make a purchase—the PC, laptop or smartphone. That’s why “digital fingerprinting” or “device fingerprinting” has become a popular means for fraud prevention. Just as good old-fashioned fingerprinting has been used for over a century to identify criminals and thwart crime, digital fingerprinting can do the same by identifying the fraudsters’ tools, if not the ...

Continue Reading

The Role of Evidence-Based Management standard

Evidence-Based Management (EBMgt) is a topic growing in popularity in both the academic and professional worlds for a number of reasons. We’ve never had access to the volume of data that we do today coupled with the processing power available to make sense of it. In addition, we’ve learned that while hunches give us a gut feel we are comfortable with, we like to confirm it with data (which can be challenging when coping with Confirmation Bias). One of the bigger lessons you learn when you continue past a Masters degree is that your opinion doesn’t matter. Everything you write about should be evidence based. Synthesis is great and a critical step in Bloom’s Taxonomy—meaning it is just fine to ...

Continue Reading

There Are No Unicorns standard

Those of you in the DevOps community know exactly who I am talking about when I use the term Unicorn. Amazon, Netflix, and Disney all come to mind. After two days here at the DevOps Enterprise Summit, we shouldn’t be using the term unicorn at all to describe these high-performing IT organizations. If we have to choose  four-legged animal, they are more like a thoroughbred than a unicorn. Here’s why. When trying to strategically position a firm in the marketplace, scholars like to use Resource-Based Theory (sometimes called the Resource-Based View of the Firm), largely popularized in recent literature by Jay Barney. His seminal paper in 1991 is frequently cited when trying to understand why one firm has competitive advantage ...

Continue Reading

Apple Pay is Here, First Notes standard

12:01 hits and I hit my Software Update menu item to see if I can snag me some Apple Pay, and BAM! There it is! 20 minutes later, I am ready to go with iOS 8.1. Here are a few notes for those of you who may be using it as well. Apple Pay is a part of Passbook, and acts like any other Passbook integration. You can open Passbook and add ONE card, but any additional cards must be added under Settings -> Passbook & Apple Pay. For each card that is enrolled, you may be asked to validate your identity. Make sure that your banks have current email addresses and phone numbers for you. They will send you ...

Continue Reading

Facelift Friday! standard

For those of you who have not noticed yet, the website has gotten a much needed update! For those of you who have been around here for a while, you will remember that the last time I did something was in 2009, right before the 2nd edition of the book published (4th edition coming soon!). Quite a bit has happened since then, including new design styles and ways to present information. I contacted Spellbrand to help put a fresh look on things! All of the old information is still here, it’s just presented a bit differently. You will also notice that I will be updating my Herding Cats column as well as I got out of habit of doing this ...

Continue Reading

Enable 2-Factor Everywhere standard

Dropbox is the latest victim to announce that a third party (Snapchat was last week) integration caused a ton of their usernames and passwords to be leaked on Pastebin. At this point, most of our super-useful cloud services (Evernote, Twitter, Facebook, Google, and Dropbox to name a few) all have the ability to turn on some kind of stepped-up authentication. Some of these use Google Authenticator, which couldn’t be any easier to use than it already is (probably). So after you go change your Dropbox password (to something unique, not used on any other website), take a few moments to step up your authentication with 2-factor authentication. It will only take you a few minutes, and it will provide much ...

Continue Reading

Incentives in PCI DSS standard

ETA’s Transaction Trends publication recently featured an article by Darrel Anderson entitled Why PCI Compliance Isn’t Working. In it, he describes one of the problems that we’ve been exploring here over the last month or so—incentive structures for PCI DSS. At the ETA Strategic Leadership Forum, the CEO of a prominent payments company echoed this sentiment by suggesting that his peers in the industry should be invested in taking the bite out of processing payments. Darrel touches on this in his article when he discusses the complexity of PCI DSS and how merchants struggle with it. His first carrot is to make this process easy. But we shouldn’t be focusing on making PCI easier, we should be focusing on making ...

Continue Reading

ETA Strategic Leadership Forum standard

It’s that time of year again, and several of us are headed out to this fantastic event put on by ETA. Look me up when you are there so we can chat about some of the interesting events over the last few months. Some of those include: POS Malware Scoping Challenges with PCI DSS 3.0 Apple Pay (and P2PE) Shellshock Side channel attacks on PINs Looking forward to discussing the future of payments with some of the most influential people in the industry!

Continue Reading

The Right Way to Present your Security Initiative standard

Going through my RSS the other day, I found this blog post on HBR that everyone in our field should bookmark for future reference. It’s entitled, The Right Way to Present your Business Case, by Carolyn O’Hara. As I was reflecting on the successful (and not so successful) pitches in my career, I thought that this type of message also works perfectly for information security. We have all had that moment in our careers where we knew something needed to be done, but we struggled to communicate it effectively. I distinctly remember a conversation early in my career about adding a security product to a company I worked for and the CEO said, “Until Amazon gets hacked, nobody is going ...

Continue Reading

September 2014 Roundup standard

The Orlando community meeting came and went, DerbyCon came and went, and we saw a security vulnerability that rivals Heartbleed . I hope this sets us up for a great discussion in a couple of weeks at the PCI Community Meeting in Orlando! Here’s what you folks liked the most last month: The Only Customer Service Script You Will Ever Need. The economy is humming along quite nicely. How do we know? Because people are getting poor customer service and reading posts like this one. Is customer service is less important now that customers are easiser to come by? Check out this diversion from security that will make you think about how you interact with your customers. Is PCI DSS ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!