Categories ArchivesPCI

Seven Deadly Sins of a QSA (Part 4) standard

Being a Security Professional Being a security professional can be a curse when logically thinking your way through compliance initiatives. No compliance initiative should be a substitute for a sound information security program, but we as security professionals often get caught in the compliance trap. We’ve been beating the security drum for years, yet our musical stylings have gone unappreciated. Enter a compliance initiative and all of the sudden someone is forcing the business to do what we’ve been telling them to do all along! We tend to take advantage of this new security spending windfall and add all kinds of stuff to purchase orders in the name of compliance. QSAs are guilty of this as well. Often times a ...

Continue Reading

Seven Deadly Sins of a QSA (Part 3) standard

Mis-hearing the Trainer QSAs must be pass evaluation from the Council every year in addition to earning at least forty CPEs in order to maintain their QSA designation. Prior to 2010, this meant finding a QSA Requal class near you and having your primary contact book your attendance in said class ((You can now do your requalification online.)). Trainers come and go as we have seen over the years, and I sat through a session with a good number of my team lead by a new trainer a few years ago. One of the most important steps a QSA must get right is choosing the correct scope for the assessment. Getting that step wrong sets the whole assessment and the PCI ...

Continue Reading

Seven Deadly Sins of a QSA (Part 2) standard

Sin#1 – Making Up Requirements One of the most common mistakes QSAs make is to simply make a requirement out of nothing. Don’t fool yourself into thinking PCI Assessing is simply black and white judgement calls, PCI DSS is complex. In fact, as a security professional, it’s easy to take any good security practice from your brain and tell someone trying to comply with PCI DSS that it needs to be done.  For example, changing passwords on a somewhat regular basis is a practice that we all hate doing, but force our users to do anyway. Even without looking at PCI DSS—a standard that has the word “security” in its name—a QSA could tell someone to set up some kind ...

Continue Reading

Seven Deadly Sins of a QSA (Part 1) standard

Those of you that attended HoustonSecCon or #BSidesDFW, you saw my presentation entitled “The Mistakes QSAs Make.” After presenting, I thought the overall message needed to get to a wider audience and not just the slides I present. I set upon this endeavor and came up with the following series entitled, the Seven Deadly Sins of a QSA. I’m going to be posting this over the next couple of months (and a single PDF in its entirety when I finish) for you guys out in the tubes. Here is a brief intro to get things going! People make mistakes—and in a people business like consulting, you can expect to see more than a few of them. This series explores seven ...

Continue Reading

PCI 2.0 is now Effective! standard

The PCI Security Standards Council announced today that PCI DSS 2.0 is now effective. What does this mean for you as a company that must comply with PCI DSS? First, don’t panic. PCI DSS v1.2.1 is still valid until the end of 2011. If you are working on project plans to finalize compliance against this version, continue to do so, and start working on your PCI 2.0 plans. Your acquirer can provide specific guidance on exactly when you need to send them a validated 2.0 Report on Compliance. Next, you should have a gap analysis done against the new standard—sooner rather than later (I happen to know a team of folks that would be GREAT at this….). While there are ...

Continue Reading

Five Ways to Get it Right from the START standard

I was sitting in one of my thousands of mobile offices yesterday (i.e., the Starbucks down the way to one of my new favorite local hang-outs) wrapping up the year ((On my day off, I might add.)) and I couldn’t help but overhear the gaggle of ladies sitting at the table in front of me talking about negotiating some kind of credit card processing agreement for their new business. This was, of course, AFTER the extremely loud gift exchange. I think one of them might have been a gag gift, unless this nice middle aged lady really did want Cookin’ with Coolio for Christmas. I find his measurements hard to follow. How much is a “dime bag of salt” anyway? ...

Continue Reading

Five things to do for PCI during the freeze standard

IT and security professional that work in the retail and banking space tend to go into lock down during the last half of November, all of December, and the first part of January. We’re all saying our little prayers, and doing whatever rituals we do to keep those systems running worry and breach free until the cash flows come back to normal. So what kinds of things can you do to be productive and prepare for 2011? Get on those quarterly scan results! Hopefully you got a clean scan right before the freeze happened, so you could spend this time planning for your next one to ensure you have clean execution and quick remediation for any items found. Examine data ...

Continue Reading

New PCI Services from EMC/RSA standard

EMC Corporation, in conjunction with EMC Consulting and RSA, announced expanded consulting services to assist companies with PCI Compliance, as a subset of our larger GRC and Information Security initiatives. The three new services are: PCI Program Strategy and Implementation – Organizations leveraging this service not only remedy their PCI compliance issues, but develop a security and compliance program that is aligned with business objectives. New services offered include program development and management, design of strategic frameworks for PCI program, assessment and development of processes and best practices, and PCI training to security teams, data owners, key stakeholders, and internal audit team. PCI Readiness Assessments – This service evaluates an organization’s current PCI DSS posture and helps develop a remediation ...

Continue Reading

What about Mobile Payments? standard

Thanks to a reader who gave me an idea for a blog post! You can suggest your own topics here. Mobile payments means a lot of things to a lot of people. Is it paying for things with that fancy iPhone app? Is it a Wi-Fi or cellular linked payment terminal? Is it paying for things with your cell phone using either an SMS-based payment or a Near-Field Communication (NFC) transaction? For the purposes of this post, I want to focus solely on SMS-Based or NFC transactions that would originate from the buyer’s cell phone. AT&T, T-Mobile, and Verizon announced last week the formation of ISIS, a mobile payment network that looks to capitalize on the per-transaction revenue that can ...

Continue Reading

PCI SSC Releases 2.0 Versions of SAQs standard

Man, I’m falling into the EMC culture nicely. It’s an acronym laden Friday (INSANE IN THE MEMBRANE)! Last night I received an email from the PCI SSC PR team about the new Self-Assessment Questionnaires. You can get them here. While they were not released on the same day as the 2.0 version of PCI DSS, they were quickly ushered out the door. Kudos to the Council for getting these done in a timely manner! I know I’ve had NUMEROUS questions from the 7+million merchant community that deals with SAQs over the last three weeks on the pending release of these. One of the biggest adjustments to the SAQ process is the recognition (or segmentation maybe) of the virtual terminal. If ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!