Categories ArchivesPCI

Avoid Looking Like a Rookie standard

In my recent presentation, “The Mistakes QSAs Make,” one of the mistakes I highlighted is that QSAs will often send the F’ing New Guy (FNG) to perform your assessment.  Now before we go bagging on junior consultants, I want to be clear that (most) of these guys are both capable and qualified.  Starting this year, new QSAs have to take a closed book exam which should cause the amount of late night partying and drinking to decrease during training, and push the fail rate up (which is not necessarily a bad thing). Let’s say that you are the FNG.  Step Zero to avoiding looking like a rookie is to admit to yourself that you are the FNG.  Once you admit ...

Continue Reading

Getting Support for PCI DSS standard

For the record, I LOVE it when people send in emails requesting a specific blog topic.  I can’t get to them all, but it sure helps set the direction.  The part of the writing process that is sometimes hardest for me is finding a starting point. Thank you for this one (I’ll keep this person anonymous as their email bounced)! In the book we discuss how to manage a project to completion (Chapter 10), and one of the key steps is getting buy in from senior management. A reader emailed me this week asking about how to go about getting this support. Specifically (paraphrased for brevity): How do I make executive management (C-level) aware of the necessity for, and importance ...

Continue Reading

What’s a Token? standard

Along with the confusion on the term End to End Encryption, Tokenization (or just simply tokens) is a term used to describe many things.  But what is a token really?  The PCI Council does not provide any guidance other than the definition for an Index Token in the glossary: A cryptographic token that replaces the PAN, based on a given index for an unpredictable value. But even this does not really help us.  To make matters worse, the term “token” itself is defined in the PCI DSS Glossary in the context of a 2-factor authentication device like SecurID.  I’m going to take a crack at defining it and discussing what the variants might be and how they could be weaker ...

Continue Reading

Key Logger Attacks on the Rise (this is no joke!) standard

Visa released a report yesterday on their website (dated March 17) warning merchants about the rising threat of key logger and screen capture attacks.  I went back looking through my archives to see if I’ve written about this danger before, but I think my examples are ones that I typically talk about.  But don’t worry, I’ll put one for you here! This particular alert from Visa targets software key stroke and screen captures.  At the bottom of page two, Visa puts some MD5 sums for various malware probably obtained while investigating merchant breaches.  They also provide eight mitigation strategies to be used as preventative measures for areas that are likely to be targeted for malware installation. My real world example ...

Continue Reading

The Mistakes QSAs Make standard

Aside from a rather embarrassing moment last night with Keynote ((Note to self, make your FIRST and LAST slides different, and actually test MOVING slides before the room is filled with expectant eyes boring holes through my skull into the screen behind me.)), I spoke to a local group of PCI DSS enthusiasts about the mistakes that QSAs make, and how to deal with them.  I came up with several, but would really like to see what YOU FOLKS out there think! Submit comments below anonymously or with your name, either way.  This is open to anyone!  QSAs, ASVs, acquirers, issuers, merchants, service providers, ISOs, security professionals, PCI HAY-TAHs, payment brands, Council members, Jim, forensic investigators, and other PCI experts. ...

Continue Reading

Compliance, Easier than Security! standard

My undergrad is in Marketing.  I sometimes call myself a marketing guy, but only right before I rip on one that hypothetically might do something causing a technical guy to lose his weekend.  One of my favorite marketing guys is Seth Godin, and every once in a while he posts something that works not only in the Marketing world, but in our world. On Friday, his post “It’s easier to teach compliance than initiative” reminds me of how our business works.  Isn’t it WAY easier to talk about some kind of security-related compliance versus actually talking about security?  Think about your past interactions with information security.  Did you have a chance to create a 3-5 year plan detailing how you ...

Continue Reading

Subscriptions Deal with Transactions Times Twelve standard

I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket!  While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year. Is there a way to game the system?  Well, maybe two ways.  First is to delete PCI DSS data, but that’s not ...

Continue Reading

Personal Liability for QSAs standard

I was chatting with a colleague this week, let’s call her Anne, who had a very interesting question. “Should Anne carry personal liability insurance as a QSA working for  a QSA company?” She was trying to assess her personal liability for doing QSA work.  So let’s say Anne made a mistake, and that mistake caused a merchant to be breached, would her former employer go after Anne to make her a scapegoat after she left? I had a brief discussion with David Navetta of the Info Law Group about the idea (and please note that anything found here is NOT legal advice, and you should always talk to an attorney if you have an issue… entertainment purposes folks), and he ...

Continue Reading

Forrester Unleashes PCI standard

John Kindervag, prominent analyst from Forrester, released a report this week entitled PCI Unleashed, where he talks history, dispels myths, and gives practical tips for companies trying to get a handle on PCI DSS.  John doesn’t waste any time getting started, and throws out a couple of points to shock the reader.  In fact, I’m kind of shocked they are in there, but it’s refreshing to see an organization of Forrester’s stature putting them into writing. While many agree that PCI DSS should be blamed on the payment brands, John asserts that it should not.  While I agree that the result (the standard itself) should not necessarily be blamed on the payment brands, its evolution is a direct result of ...

Continue Reading

The Yes/No PCI Assessment standard

Chris Mark over at the PCI Answers blog wrote a fantastic post on The Rise of the Defensive PCI Assessment toward the end of last year.  I read it right after he posted it, and knew that I wanted to add to his thoughts.  It’s taken me about this long to get my thoughts together. I’ve been busy! I totally agree with his assessment, and I have run into some situations where this has come up with other QSAs.  Some QSAs have altered their interpretations (or made them more literal, I should say) because they realized that they were interpreting the standard incorrectly, or they priced the assessments so low to get the business that they can’t afford to understand ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!