Categories ArchivesHeadlines

The Legal Risk around PCI standard

David Navetta published a fantastic article in this month’s ISSA Journal entitled, “Who is Minding the Legal Risk around PCI” that takes a deep dive into the legal ramifications of not complying with the standard. If you do not get the journal, first off, go join the ISSA! It comes free with your membership! In the meantime, jump over to David’s blog to read the article! Towards the latter part of the article, David lays out two very real risks that I have discussed many times in this blog such as QSA shopping, rubber stamping, and scoping. Enjoy, and have a great weekend! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO ...

Continue Reading

Do you think about skimmers? standard

I’ll admit, I’m not the insomniac whose brain refuses to shut down because of something like a skimmer. They do scare me. Less from a personal liability perspective and more from a corporate liability perspective. Have you ever seen a real-life example of an ATM that has been doctored with a skimmer? Today is your lucky day! One Gizmodo reader submitted his pictures and story. Maybe I’m crazy, and maybe it’s just not that big of a deal anymore. The bad guys are getting very crafty now, and able to fit skimmers to specific ATM models. It used to be that if you used an ATM regularly, it would be very easy to tell if someone had tampered with it. ...

Continue Reading

Review of PCI Congressional Hearing standard

If you missed it, you can see a recording here! See what the Twitterverse had to say here by searching for #pcihearing. TONS of coverage on this. First, I am very proud of our congress for putting this hearing together. It is clear how serious this situation is when listening to the prepared, pointed statements read in the beginning. I hope I don’t make anyone upset, but I do giggle a little bit when non-techie folks trip up on techie terms. I certainly expect someone would giggle at me if I were reading a statement of detailed medical terms and missed the words. Regardless, huge props for taking the issue on. In the next paragraphs, clicking on the individual’s name ...

Continue Reading

Guest Post: Compliant Compromise standard

The following is a guest post by Frank Castaneira. Frank is a Sr. Consulting Manager inside the Global Security Consulting practice at VeriSign. Matt Hines recently wrote about the PCI Council discussions on applicability and adequacy of the PCI Standard given reported breaches of validated entities such as Hannaford and Heartland. Branden recently discussed the PCI Council conversation on March 6. Branden suggested greater visibility by the Council into the incident response process. This posting amplifies on that solution and provides other perspectives. The discussions mentioned in Mr. Hines article focused on the QSA (Qualified Security Assessor) posture that an annual on-site assessment is relevant only for that point in time. Although, I recognize the issue (point in time), my ...

Continue Reading

NEWS FLASH: Visa Lists Dates standard

Last night, Visa, Inc. collected a list of dates for upcoming compliance and published them on their website as “Key Dates.” If you ever wondered what dates you needed to hit for Visa, Inc., they are all listed right there! Some of the dates are news to this blogger, so it’s nice to see something official and published, not just things we hear through the grapevine or by talking to various pundits in the industry. The next deadline they list is on March 31, U.S. Level 1 and Level 2 Merchants Prohibited Data Retention Attestation Deadline (applies to newly identified Level 1 and Level 2 merchants late 2007 and early 2008). Possibly Related Posts: PCI DSS 4.0 Released plus BOOK ...

Continue Reading

NEWS FLASH: RBS WorldPay and Heartland Dropped from CISP Compliant List standard

You’ve probably seen the story by now… it’s out there. Here is one link, and you can likely find MANY others. Here’s my question. If they are taking them off the list versus leaving them under review, are they saying that they never should have been certified in the first place? And if they are saying that, doesn’t this mean they are declaring shenanigans on the review by the QSA of record? Do I sense a trickle down effect here? Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs ...

Continue Reading

Funny how??! standard

I’m too tall to even come close to pulling off Joe Pesci. So just think about the scene in Goodfellas where Tommy DeVito is pulling Henry Hill’s leg in the restaurant. How am I funny?! Anyway, if you are looking at my blog and you see a little badge on the upper right with a link to the Social Security Award and are wondering what that funny business is, I’ll tell ya! The Security Blogger Meet-Up at RSA is coming soon, and they are going to have some awards this year! There are five awards that will be given out. They are: Best Security Podcast – Who is the voice you listen to week after week? Best Technical Security Blog ...

Continue Reading

Satellite Hacking on the Cheap standard

Are you one of the many companies that rely on satellites to communicate with your, uh… satellite offices? We security professionals often ask hard questions about how that data is protected en-route and usually are quickly dismissed with a “Oh, it is too hard to do and would require a six-figure investment in hardware to accomplish.” Well, thanks to Adam Laurie, you can do it for around $1,000! If you are relying on satellite communications, you should now be asking those hard questions of your provider, and making sure that you have acceptable encryption on those lines preventing someone from intercepting or injecting traffic into that stream. Possibly Related Posts: Selective Domain Filtering with Postfix and a SPAM Filtering Service ...

Continue Reading

Payment Security Professional of the Year standard

It’s official, I was selected as Payment Security Professional of the Year by the Society of Payment Security Professionals! The Society has gained a ton of momentum in the industry and launched their two excellent certifications, the Certified Payment-card Industry Security Manager (CPISM), and Certified Payment-card Industry Auditor (CPISA). If you are looking to get into this industry, or work for a company subject to PCI compliance and have responsibility for PCI, you should have these certifications. This training is better than the training that we receive as QSAs for a few reasons, but mainly because it covers a much wider base than just PCI-DSS. Anyone that has heard me speak about the negatives associated with a breach and/or non-compliance ...

Continue Reading

Really Peter? 219K Sites? standard

I’m not Seth Meyer. I’m not a television star. I don’t have a team of writers feeding me stuff on cue cards. That said…. According to an article by Fred Aun, Peter Alguacil from Pingdom released a report recently suggesting “there are probably 219,000 sites with outdated SSL certificates.” Probably. Fred, who rounded the original 219K figure from Peter up to 250K in his posting, goes on to describe the “bit of math” that Peter used to come to this conclusion using data from two different sources. First, Netcraft estimates there are one million sites with valid SSL certificates. Next, a report by Venafi released in 2007 suggests 18% of Fortune 1000 sites had expired certificates. So then Peter does ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!