Categories ArchivesEnterprise Security

Is Visa Taking the Training Wheels Off of Security? standard

Step into the way-back machine with me and let’s turn the dial to 2000. What a glorious time that was! We were at the peak of what would soon be known as the DotCom Bust((Although poor corporate accounting practices had a hand in this one as well.)). Information security was this fledgling group in most companies that was called to clean up virus outbreaks. Then we weathered the storm. Markets crashed, IT budgets were slashed to the bone, and security professionals suffered too. We fought hard for every single dollar that came our way, yet we still were playing catch up. Now let’s forward to December 15, 2004, when the first release of the PCI DSS made its way into ...

Continue Reading

Why Visa’s TIP Doesn’t Matter standard

On Thursday, I posted about a memo released by Visa, Inc. last week discussing the acceleration of EMV adoption. There is much buzz going on right now as merchants now have a false sense of hope. PCI Assessments aren’t going anywhere any time soon. Why? One of the fundamental rules about PCI DSS is that you are dealing with five competing payment brands that handle their own enforcement. This means that as a merchant you can be a different level with a different payment brand, which may or may not affect how you validate compliance. A move by any one payment brand does not necessarily represent all five brands, nor does it guarantee that you will see the effects in ...

Continue Reading

Will Service Suffer? standard

It’s weeks like this last one that I am glad I am not a market maker or securities broker. I doubt my ticker could survive the roller coaster ride of highs and lows over the last three years. But what happens with service as the economy falters? Let’s just say that this recent string of declines forces some businesses to continue to wring cost out of their business. That means that once again, the cost centers of business will be asked to do more with less. Cutting heads, moving employees to lower cost geographies, and removing investments for continuous improvement take their toll on the employees, which then trickles down to customers. Between appointments last night, I flipped on Undercover ...

Continue Reading

Herding Cats July, Breaches Can’t Happen to Us standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Breaches Can’t Happen to Us. This one was fun for me as it follows a common theme you can expect from Ol’ Brando, the business end of security. Most security professionals have not had any sort of business training, or with some I have met, really give a flying futon about business. Before you go ask for more money in your budget, you should read this article. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up ...

Continue Reading

Using Transaction ID for Payments standard

Where is it in your strategy? Each payment brand calls it something slightly different but they all have something like this now. Every transaction pushed through their network can now be identified with a unique transaction ID. With PCI DSS continuing to be a significant burden for merchants to handle, I can’t think of a better time to consider alternative methods for handling cardholder data after authorization. Merchants have many options when it comes to PAN replacement options. When it comes to tokens, there are typically two different options you might choose—either per-transaction tokens or per-card tokens. Merchants that want to perform analytics on purchasing behavior using just the payment card itself as a way to track purchases should go ...

Continue Reading

The Perfect World standard

I was recently asked in a meeting of the minds to describe my view of the perfect world as it related to PCI DSS. For those of you who read my work often, you may notice a few themes that I continue to write about. I believe that security is a business problem and security professionals have historically done a poor job of quantifying information security risk in a manner that makes sense to a business person. In my perfect world, companies would understand the value of the information they use to drive their business, and they would protect or transfer risk accordingly. Sounds simple on the surface, but if you have been in business in the last five years ...

Continue Reading

Audience Participation: Who wants stricter PCI DSS requirements? standard

WAY before I started serving my term on the PCI Board of Advisors, someone privy to the conversations once told me that the early discussions had people grouped into two distinct camps: Make PCI DSS more prescriptive and remove gray area! Remove some of the prescriptive nature of PCI DSS to allow people flexibility in meeting the standard! While I’m not at liberty to disclose conversations that happened two weeks ago, I’m wondering what the folks in the field think about a topic similar to this: should PCI DSS evolve to a stricter standard or more of a framework? After announcing our election to the board, I have had SEVERAL folks from varied industries and backgrounds give me words of ...

Continue Reading

Telephone-based Payment Security standard

Back in March the Council released an information supplement on the PCI SSC website entitled Protecting Telephone-Based Payment Card Data. Wait… MARCH you say? Brando, seriously, work on the timeliness of information. Yeah, yeah… I hear ya. I tend to post about things that I see in my daily experiences, and frankly, I thought we had the telephone-based payment problems solved based on the Council’s official FAQ 5362 on the topic. While the answer seems pretty complete to me, the PDF above also includes several other elements that may be useful to companies dealing with telephone-based payment issues. On Page 6 you will find a flowchart designed to help companies break down complex environments into a series of Yes/No questions. ...

Continue Reading

iCloud Security Questions standard

I admit it, I’m a fanboy. So on Monday, I was doing what I could to keep up with the WWDC Keynote. Unfortunately, that meant reading a live-blog between phone calls, but it got enough of the job done. I’m looking forward to many of the new features in Lion and iOS 5. One announcement that caught my attention was the new iCloud replacement/enhancement for MobileMe. From the website: iCloud stores your music, photos, apps, calendars, documents, and more. And wirelessly pushes them to all your devices — automatically. It’s the easiest way to manage your content. Because now you don’t have to. Preposition ending sentences aside, this is some pretty cool stuff. I’m already familiar with MobileMe as an ...

Continue Reading

Herding Cats April, May, and June! standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, This Ain’t Yo’ Daddy’s Malware! I’ve also posted in Herding Cats section of the site, the April and May editions of the column. My sincere apologies for not putting those up here earlier, but those of you who are members of ISSA got to see them as they were published. Are you not a member? Well why not?! If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: What’s the craic on KRACK? ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!