Categories ArchivesHeadlines

Equifax is only half the problem, your SSN needs a redesign! standard

The Social Security Number in the United States is the closest thing we have to a national identification system. It’s widely used to deal with the government, open lines of credit, and serves as the unique ID for a tax payer. It’s effectively your financial and governmental digital footprint identifier from which all actions are compared. Great, right? We can use it to ensure people pay their taxes, connect bank records and large financial transactions to an identity, ferret out money laundering and illicit business, and get a personal balance sheet on anyone who has credit. Except, once that number is disclosed, it’s disclosed. Unlike a payment card number, there is no wide-scale method to reissue a social security number. Like ...

Continue Reading

Orfei Steps Down standard

In a rather surprise announcement, admittedly from a guy who is farther and farther removed from the PCI DSS ecosystem with each passing day, The PCI Council announced that Steven Orfei is stepping down as GM. His tenure was rather brief, in comparison to Russo, but it’s a thankless job that probably gets even more thankless every passing day. I wonder who will be next to steer the ship?

Continue Reading

Two reports, many questions standard

April was a busy month for consumers of information security reports as two highly cited reports released 2016 versions: the Trustwave Global Security Report and the Verizon DBIR. And shortly thereafter, security luminaries start picking them apart for various reasons. One of the challenges with these reports is the datasets have some bias. Early on in the DBIR, the bias was substantial because the only data used in the analysis came from Verizon. As the report gained wider distribution, more datasets were included to reduce the bias. Make no mistake, there is still bias in the data as it only represents a subset of what is actually happening in the industry. You can even tell how different Trustwave’s & Verizon’s ...

Continue Reading

The Beginning of the End, No PCI DSS 4.0 in 2016 standard

Taking a cue from infosec luminary Bill Brenner, how about some mood music? Browsing Twitter last night brought me to this tweet about PCI DSS in 2016. Anybody else notice that the new redesign for the @PCISSC website is conspicuously missing the current lifecycle status #noversion4 — James Adamson (@jameskadamson) February 25, 2016 Indeed, earlier this month the Council posted a blog that revealed that PCI DSS 3.2 was the next version of the Standard, and would be the only release in 2016. I’ve previewed the proposed changes in 3.2, and I think this is a good approach for the Council this year. We can continue to debate the efficacy of the standard ad nauseam, but unless we’re going to ...

Continue Reading

We Should Question Bold Claims that PCI Is “Highly Effective” standard

For my first real post of 2016, let’s deconstruct a quote from an article published by eWeek about PCI DSS and 2016. The quote in question is from Jeremy King, International Director for the Council. “The PCI DSS is a mature standard that has proven highly effective wherever it is adopted and used.” The rest of the quotes fall along the messaging guidelines that you hear from the Council (although this appears to be more of a pitch related to the logging SIG), but this one stuck out for me. It reads like something that wants to be true versus something that actually is true. In the Council’s defense, they will readily cite that no fully PCI DSS compliant merchant has ever been breached. ...

Continue Reading

Verizon Report should be a Wake Up Call for the PCI SSC standard

Verizon recently released their annual state of PCI Compliance Report, which attempts to give a snapshot of current issues in the space as well as trending data over previous years. To summarize the report, the state of PCI Compliance is “not good.” It’s now 2015, more than 10 years after the first release of the standard, and we continue to struggle with compliance rates. In a Computer Weekly article, the GM of the Council says that “wake-up call for every business that cares about payment security.” Respectfully, I think that the results in this report should be a wake-up call for the Council. These findings combined with lower than expected compliance rates and continued breaches (none of which came from compliant merchants) ...

Continue Reading

What the Leaked Target PIN Data Actually Means for You standard

Before you read this, consider checking out my first post on the Target breach. Payment systems are complex. If you have ever assessed one or looked under the curtains going all the way back to the issuer, you know this. So it is not a surprise that there is a ton of misinformation flying around about the PIN data that Target admitted was taken. Before we get to far down the road here, I want to review a few items to make sure we’re all on the same page. First, let’s talk about track data. The type of data in the magstripe on the back of your card is sensitive, which is why PCI Requirement 3.2 forbids storing it. I’ve ...

Continue Reading

MasterCard Releases Mobile POS Best Practices standard

Mobile POS is becoming a hotter topic as more vendors create hardware designed to leverage smartphones and tablets. To this end, MasterCard released a fantastic document detailing the Best Practices for Mobile Point of Sale. I have written before about how to make a mobile payment application comply with PCI DSS, and this document really goes into the details of the payment stream, the acceptance types, and great detail into the challenges and solutions for mobile payment acceptance. This document isn’t just for people who are considering mobile payment acceptance; every merchant should read this as someone in your organizations is already thinking along these lines (and maybe even piloting equipment). This is a key reference for me and I ...

Continue Reading

The SBIC 2013 Trends Report standard

Today the Security for Business Innovation Council (SBIC) released their 2013 Trends Report which is chocked full of lots of great stuff for security professionals to consider as they begin to tackle the challenges this year will bring. While this report is not like anything the SBIC has released in the past, the four key findings are quite compelling and true to much of what my mission has been over the last several years. They are: Boost risk and business skills. Readers of my column (which has not been updated here in a while, but will be soon) know that the security professional that understands how the business works will be much more effective in adding value to his position ...

Continue Reading

IDC Releases Alarming Trends for the Digital Universe standard

Nobody disputes the growth of digital information over the last decade enabled by technology developments in storage further put to use in the hands of consumers. We all create content every day; and as the phones get bigger and better processors, cameras, and radios, we can expect this to continue. To put the growth of digital information into perspective, think about how painful it was to download a thirty second HD movie clip five years ago or an entire music album ten years ago. Now we do it on our phones or tablets without thinking about it (until that data-bill comes in!). IDC released a study today (in conjunction with EMC) projecting that the digital universe will be so large ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!