Categories ArchivesEnterprise Security

Will PCI Mandate the Use of Data Discovery Tools? standard

The PCI Europe Community meeting was set in the beautiful Marriott in Old Town Prague last week, and even though there were fewer attendees than the meeting in Vegas, there was no shortness of intensity and well researched questions. One individual asked about the use of Data Discovery tools as a mandate to assist in the scoping of PCI assessments.  Imagine as a QSA walking into a customer, running a tool, and knowing EXACTLY the scope of the PCI assessment you need to perform!  There would be little chance that you under- or over-scoped it, and all those little nooks and crannies that scare the bejeebus out of a QSA would be documented right there for review. If you are ...

Continue Reading

The Madness of Sampling standard

The PCI DSS instructs assessors to sample certain parts of the population when validating compliance.  According to the PCI DSS, the sample “must be a representative selection of all of the types and locations of business facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls are implemented as expected.”  That often leads to the next two questions—the answers to which tend to vary among assessors: What do you mean by representative selection (or how many is representative)? What do you consider sufficiently large to gain assurance? In the audit world, internal auditors that review IT systems will look to statistically valid samples as a method to determine how ...

Continue Reading

The Problem with Logging standard

Kim Zetter from Wired Magazine put Wal-Mart back in the news recently with information about an alleged incident that occurred in the 2005-2006 timeframe.  One of the key issues making the rounds is the following assertion made by Zetter: The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis. Logs serve multiple purposes, and for that reason they tend to grow rapidly.  Sure, storage is cheap nowadays, but every company still struggles with this very basic concept.  While I won’t speak specifically to the Wal-Mart incident (Evan Schuman has some great additions), I will address some of what I see with my customers and their struggles with logging. Over-Logging This is more typical than ...

Continue Reading

The Lost Assessment standard

Like many fans of Dan Brown’s character Robert Langdon, I was one of the first to tear through The Lost Symbol last month.  Symbology in ancient and modern cultures is fascinating, and somehow while I was reading the book, I made a parallel between this final lost symbol (no spoilers here, you need to go read the book!) and the quest for security and compliance nirvana. In the book, Mal’akh is searching for what he believes is the final piece to a puzzle that will make him an all powerful, deity like creature.  His quest began while imprisoned in a Turkish prison (yes he HAS seen the inside of a Turkish prison, Clarence) with the son of a prominent 33rd ...

Continue Reading

Blame MBAs for PCI Remediation Costs! standard

Do you ever wonder how we got into this situation?  Where merchants are facing tremendous fines for non-compliance, companies are being compromised by hackers here and overseas, and data security programs seem to be non-functional at best (if not non-existant)? I’ll tell you how… MBAs.  Yep, those pesky folks that learn the inner workings of how to take advantage of numbers to best increase their own personal compensation? Yes, another MBA dog-pile.  And I feel qualified to pick on my MBA brethren because I are one. All seriousness aside (did I do that right?), let’s think about how payment systems started inside retailers.  This is a classic example of the Build vs. Buy problem in every single MBA finance class.  ...

Continue Reading

Herding Cats, Bringing You up to Date! standard

I’ve been neglecting you all.  I usually post PDF versions of Herding Cats here on the blog for you all to read!  If you are not an ISSA Member, stop what you are doing and click here to join.  If you are, you can catch Herding Cats in an ISSA Journal online or in print! The last edition I posted was from April.  Here are the ones that I have published since then: The Perimeter has Left the Building, 08/09 Security is a Mindset, 07/09 The Cost of Ethics & Integrity, 06/09 The Breach You DID Expect, 05/09 Don’t forget, you can see all the editions right here on the site! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces ...

Continue Reading

PCI SSC Releases Skimming Prevention Tips standard

Skimming (in the credit card world) is commonly defined as capturing magnetic stripe data during the normal payment process by swiping it through an external (or even inline) device before or after the authorization swipe.  External devices are commonly found in stores where a payment instrument is presented, and someone takes the card away from view to process, like at a restaurant.  Inline skimming occurs where the cardholder is present during the swiping, and usually involves tampered swipe devices. The PCI Security Standards Council recently released an EXCELLENT guide with tips on preventing skimming, with sample forms that you can use to track your progress.  Most of the skimming techniques employed can be addressed with physical inspection, something with which ...

Continue Reading

The End of PIN-Debit for Fuel? standard

PIN-based debit authorization rates have recently increased dramatically, some merchants complaining that their auth rates have increased up to four times their previous rate.  In some armchair research, I learned that Interlink (Visa) and Pulse (Discover) have removed interchange caps on transactions.  For most merchants, it is still cheaper to process a PIN-Based Debit transaction than a credit card transaction (on a per transaction basis), but for others it is about the same.  Or at least the difference in cost is so minimal that their volumes don’t force an advantage one way or the other. Visa is enforcing PIN Entry Device (PED) mandates, effective on July 1, 2010, whereby all PEDs must comply with the PCI PED Standard.  For retailers ...

Continue Reading

Splain it, Brando!, and Finding your Data standard

On Thursday, I threw out a blog post which I hope to be the start of a series playing on Dave Ramsey’s style for financial peace, and realized I played the role of a consultant PERFECTLY (just like Marshall Eriksen might LAWYER you). SK pointed that out for me when he asks me to elaborate. In a back to school fashion, imagine this conversation as played through your teenage daughter’s cell phone. “I was all, ‘Just find the data!’, and he was all, ‘Whatever.'” I am so in touch with today’s youth. SK brought up a good point.  Let’s say you are working with an enterprise that does not have any of the following: 1) a working DLP solution, 2) ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!