Categories ArchivesPCI

Check me out on the Network Security Podcast! standard

I met up with Martin Mckeay out at BlackHat this year, and we found what we thought was a quiet corner to chat about security.  Go check out the Network Security Podcast here! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service PCI DSS 4.0 Released plus BOOK DETAILS! Preventing Account Takeover, Enable MFA!

Continue Reading

Where’s the Breach? standard

All we need to top off this post is a little old lady screaming “Where’s the Breach?” God bless 80’s marketing. A merchant out of Austin, Texas is claiming that a breach in their network came from Heartland Payment Systems (HPS), thus it must be their fault. While I am sure this is not the first merchant to be caught off guard, he’s certainly a creative one. Our culture in America seems to relish deflecting blame from oneself on to others. Why, it couldn’t be me, it must be that guy over there. What’s interesting about this particular case is that the quotes in the article are being interpreted in a manner that is inconsistent with these kinds of breaches ...

Continue Reading

The Council is Such a Tease with PCI DSS 2.0 standard

They totally are!  Giving us this little tiny preview of upcoming changes without really getting too specific.  It’s like me saying, “Dude, that chick is HOT!” Then when you ask me to describe her I say, “It’s a lady all right!” OK, back to the real reason you are reading this, the changes to PCI DSS and PA-DSS slated to drop on October 28 are outlined here. The majority of the document reviews the new lifecycle, how and why changes are made, and the three general types of changes outlined: clarifications, additional guidance (which is just a fancy way to say clarification), and a requirement that is evolving based on new threats or a change in the market. This release represents ...

Continue Reading

Why your QSA should not be your Security Partner standard

This one is link-laden folks.  Enjoy 🙂 It’s just mere weeks before we’ll see the FOURTH iteration of the PCI DSS, and companies inside the US seem to be getting better at it as we go. PCI continues to be a driving force in information security, and as the standard changes, your business environment will undoubtedly change as well. Many merchants and service providers mistakenly depend on their QSAs to find all security and PCI compliance issues. Considering the downward market pressure on assessment prices, many security professionals are discussing how QSAs are pressured to get a complete and compliant ROC in the cheapest way possible.  QSA companies are motivated by three main things: Scope and price the deal in ...

Continue Reading

PCI Council, How About a Map? standard

When I started writing this post, I was trying to think of a metaphor for a map and a journey of some sort, but everything came out dripping with Cliché Cheese ((It’s somewhere between month-old shredded Cheddar cheese that you would toss on some chips and zap for “nachos,” and that orange substance you get on nachos at a high school football game.)) or would have made sense only to a limited audience (Shout out to the P1, between the devil and the deep blue sea, and kick the tires and light the fires… as it were). The point I was trying to make, however, was in light of PCI, we seem to be navigating a changing world with a ...

Continue Reading

Tokenization and Chargebacks standard

The NRF released a brief yesterday discussing the clarification Visa made to the operating regulations related the storage of full card data after the transaction. As suspected, some acquirers and processors were interpreting the rule to mean that Visa required merchants to store the full card number for things like chargeback processing ((The clarification was made on the Issuer side of the transaction.)). Of course, with a phone call, acquirers quickly seemed to learn what the real intent of the rule was. I can only describe this second hand, but here’s what I know for sure. Over the last 6+ years, I have worked with many merchants to help them rid their systems of PANs. In exactly zero instances, I ...

Continue Reading

Level 2 Merchants, Are Your Folks Trained? standard

Is anyone thinking about June 30, 2011 yet?  If you are a Level 1 or Level 2 merchant, you certainly should be!  Here’s why: MasterCard had a rough time last year. They made some new rules, they changed the rules, and then they removed many of those rules.  This year, they worked out the kinks (arguably something they should have done before the first announcement) and have a revised set of requirements. Remember us talking about reciprocity last year? From the excellent post by Chris Mark on the end of the Level 4 Merchant to the retraction and strange website posts and commentary by MasterCard, reciprocity was a hotly debated issue.  As of this writing, the reciprocity on MasterCard’s website ...

Continue Reading

PCI Security Standards go to Three Year Lifecycle standard

On June 22, the PCI Security Standards Council announced that effective October 2010, all of the standards under its care will move to a three year development lifecycle from the current two year lifecycle we have enjoyed since the standard was originally released on December 15, 2004. I had a chance to sit down with Bob Russo (VIRTUALLY that is) and discuss some of the changes and how that affects the standard going forward. According to Russo, the change is “a direct result of feedback from [sic] our board of advisors [sic] and participating organizations ((Quote shortened for brevity.)).”  He believes the change is “a win-win for everybody.” In the linked press release above, the Council cites feedback from key ...

Continue Reading

No More WEP, Did You Make It? standard

Well, last week saw the passage of June 30, 2010.  Do you know where your WEP is? For those of you subject to PCI DSS, you are no longer allowed to use WEP to “protect” your in-scope networks (Requirement 4.1.1, in the italics).  Remember when PCI DSS 1.2 came out and you thought you had plenty of time?  Hopefully you planned well. I have not run into too much WEP on in-scope networks in the last year or so.  I still see it in retail locations for inventory control or other types of wireless networking, but those are usually firewalled off from the POS environment. Is anyone out there still using WEP? Possibly Related Posts: Level Up Cybersecurity with Kasm ...

Continue Reading

PCI Doesn’t Take Vacations standard

I was lucky enough to spend some quality time away from the tubes last week, and while I am not part of a rogue PCI enforcement militia, I do tend to observe how organizations tackle security and compliance issues.  For the first time, I found a rather unique disclaimer that was mere feet away from the Point of Interaction.  It shocked me so much, I snapped a picture to make sure I got the wording correct.  It plainly stated: WARNING: The method used to authenticate credit card transactions for approval is not secure and personal information is subject to being intercepted (the original sticker said ‘intercetped’) by unauthorized personnel. I promptly copied the phone number down and passed it to ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!