Categories ArchivesEnterprise Security

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Continue Reading

The Impact of PCI DSS is Up To You standard

After reflecting on the PCI Community Meeting last week, it seems that there is a groundswell building. We’re getting ready to release our updated PCI DSS book on October 24 (pre-order here), and in it (as well as in talks I’ve given since the release) we speculate that the changes in 3.0 are mostly minor and give the merchant more flexibility. While I still stand by this, it seems that the perception in the community does not align with this. I had many conversations last week from disillusioned merchants who are struggling to come up with solid plans for updating their programs. We got detailed in the book on how to address some of these issues, including new chapters on ...

Continue Reading

Will this Band-Aid help? standard

You know when you get a paper cut in the webbing of your fingers? How many of you just shuddered at the thought of such a minor, but memorable malady? Now, think about one of the times that you got in there really deep and had to find a band-aid. Those normal ones just don’t work! You need a special band-aid with the butterfly flaps on it. Then you can get on with your day without spreading more of your DNA on everything you touch. With all these POS breaches (like Home Depot this week), we need to address a paper cut. The paper cut here is the POS system. We can describe them as two machines with different life ...

Continue Reading

Is PCI DSS Effective? standard

Another week, another breach. SuperValu is the latest entity to suffer a breach involving credit cards, and I saw a tweet over the weekend that inspired this post. It was along the lines of “I’d hate to be the guy who has to explain how PCI DSS is effective against breaches.” While there is some humor in the tweet, there is more than just the standard in play here. PCI DSS by itself is a good baseline for handling cardholder data. I’ve written articles, blogs, books, and given talks on the merits of PCI DSS ((If you are on the Council reading this, remember, I’m an on-record supporter)). PCI DSS also has flaws, compared to other compliance initiatives, that are ...

Continue Reading

Why won’t you change your password? standard

There was a very interesting post by Punam Keller last week on the HBR Blog Network on the psychology of passwords. This isn’t like the previous posts you have seen on this blog. While I tend to focus on the technical problems and ways around them, Keller explores the behavioral aspects of passwords and our general resistance to do what we all know is right. She highlights four attitudes that people have when it comes to passwords: People who don’t know they should change their passwords—most likely by intentionally ignoring information that indicates they should. People who know they should change it, but avoid doing it because they think password theft and misuse will happen to someone else. People who ...

Continue Reading

Locking your Door is a Bad Analogy for PCI DSS Compliance and InfoSec standard

Storytelling is a pastime that spans all of human existance. Famous stories like cultural parables or classics like Romeo & Juliet attempt to tackle complex or conflicting ideas and relate them to someone. We use it to pass information from place to place, to captivate audiences when delivering unexpected information (See TED talks), and to explain to a lay person why they should take some action. Pick a security standard or compliance initiative, and you will find hundreds of analogies that attempt to reduce their complexity to a tagline or short list of tasks. One in particular that is quite popular in the PCI DSS and information security space is comparing compliance with locking your front door. Of course you ...

Continue Reading

The Art of Inquiry standard

The information security industry can sometimes fall into a rut when it creates and publishes requirements. Even in the corporate world we fall into these ruts. Go check out one of your build or hardening guides and see how much or how recently it has changed. In some respects, we don’t want to have drastic changes even when the world around us changes drastically because it makes it harder to meet those requirements. It’s that old “Your Security Rules are a Moving Target” chestnut. An old mentor of mine once told me that “compliance comes and goes, but security is here to stay”. In some respects, I think compliance is the manifestation of a purpose-built set of security rules driven ...

Continue Reading

Try the Middle of the Current (Just for Fun) standard

I was having a fantastic discussion with a close friend yesterday about how the security industry harbors people that fight battles just for the sake of fighting battles. It’s the stuff that makes Sun Tzu shake his head knowing that you are on the losing side. My friend said, “Hey, didn’t you write about something like that a while back?” Once again, Past Brando hosed Future Brando. One of Sun Tzu’s biggest teachings is that the preferred method to win a battle is to win without fighting. If I were to take some literary liberty with this edict and apply it to the security space, it’s better to win within the established rules of the game instead of spending all ...

Continue Reading

More Hacks! standard

It’s been a busy weekend. Since last week, we’ve seen annoucements from PF Chang’s, AT&T Mobility, and Domino’s Pizza, all with varying levels of disclosure. PF Chang’s looks to be yet another payment card breach while Domino’s Pizza was a privacy-related breach in Europe (no cardholder data apparently disclosed). But the AT&T Mobility one is the kicker with an unknown number of customers impacted, and the big no-no is on this one—social security numbers. Lovely! All that aside, because at this point none of this is really exciting or unexpected, I want to direct your attention to a short and sweet blog post from Mike Rothman who discusses a comparison (with reference) to emergency managers and information security professionals. It’s ...

Continue Reading

More Fun with EMV standard

Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV. Turns out, the French may be the best experts at cracking this thing. EMV tokens make an appearance in the article, but there ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!