Categories ArchivesPCI

Do Mainframes Get A Pass? standard

When I first started doing PCI DSS work under the then CISP and SDP standards, one of the biggest problems I ran into was what to do with one of those fancy mainframes.  In this job, you see ALL manner of mainframes.  I’ve seen super shiny, brand new z/OS multiplexes to aging, but functional Tandems to an OS/390 system that literally had no changes performed on it in more than two years. How does anti-virus apply to those again? I recently fielded a question about mainframes, and if they still “get a pass” when it comes to certain requirements like anti-virus (Req 5), and encryption (Req 3.4).  As is with most of PCI DSS interpretation questions, it certainly depends on ...

Continue Reading

MasterCard’s Got Its Flippy-Floppies standard

The PCI DSS world was shocked yet again this week when MasterCard backed off its position from earlier this year, requiring Level 2 merchants to obtain validation from a QSA, and publicly are aligning its levels directly with Visa—including setting reciprocity with their levels.  The reason I put “publicly” in there is because the merchant operating regulations are NOT public for MasterCard like they are with Visa, but I understand that level reciprocity remains in those regulations even though they were removed from the public facing information. This is why merchants and service providers alike don’t take deadlines seriously.  Visa has (in the US anyway) at least tried (and mostly succeeded) to stick by their deadlines, though I’m not sure ...

Continue Reading

The Book, It’s OUT baby! standard

That’s right!  If you pre-ordered our (Anton Chuvakin & mine) book, you should be receiving it today!  It’s chocked full of all kinds of fun stuff.  For example, did you know that I worked in the word “brewdog?” In fact, let’s make a contest out of this.  The first five people to email me the page number in the book where that word appears will be entered to win a $30 Amazon.com gift card! Anton has a video in his blog where he talks about the book, and I have something special coming up soon.  I’ve got it half done, but have not recorded the actual video of me talking yet.  Look for that early next week or late on ...

Continue Reading

Consider Outsourcing Cashless Payments standard

One of the things that baffles me every time I walk into a retailer struggling with PCI compliance is why management doesn’t consider completely outsourcing all of their cashless payment processing.  I know how we ended up in this situation, but who takes the blame for continuing to push this paradigm forward? Let’s take payments off the table and re-focus on the information we store. Information today is the lifeblood of business.  The value of information is in the process of distilling petabytes of information into actionable tasks that create competitive advantage.  Because information is perceived as highly valuable, the general position of information managers is “store or get access to every piece you can, then we’ll figure out how ...

Continue Reading

The Gobble-Gobble of Public Networks standard

Here in the US we celebrate and give thanks for the harvest on the fourth Thursday of November, one month after our Canadian brethren did.  Does security stop just because most companies in the US are closed?  Nope, in fact, I’d like to give a shout out to all of you folks taking the overtime pay to spend time babysitting your networks.  For you, I am thankful. The PCI Europe meeting has been the topic of several blog posts recently, and here’s yet another one inspired by the Q/A session at that meeting. The Technical Working Group (TWG) must cringe when the definition of public networks is asked in a crowd.  I believe that this was one of those phrases ...

Continue Reading

Multi-Function Service Providers, What To Do? standard

Service providers have dealt with compliance-driven information security mandates for much longer than merchant’s have.  The catalyst for Visa’s CISP program was reportedly service providers, but enforcement ultimately expanded to all stakeholders.  Regardless of its origins, a certain class of service provider has significant challenges complying with these requirements without shuttering portions of their business. Let’s say that a financial service provider is processing credit card transactions as an acqurier, as well as doing issuer processing for other third-party banks.  How can the business comply with PCI if they also must store prohibited data in order to process on behalf of their issuer customers? That, my friends, is one of the big questions in the industry today. Attendees from both ...

Continue Reading

E2E Encryption Reduces Probability, Not Eliminates Liability standard

Ahh, back to thinking about Prague.  I can almost taste the goulash! End to End Encryption (E2EE) is widely discussed, but its effects are largely misunderstood by merchants looking for relief from the burdens of complying with PCI or government rules and regulations.  Merchants have approached me asking if implementing E2EE will eliminate their liability and PCI responsibility. This exact question was asked in Prague during the Q&A session. The first issue here is E2EE is not likely a reality we will see anytime soon.  Remember the ends we are dealing with here.  End the first is the device reading the payment instrument, and the other end is the issuing bank (or issuing processor) that ultimately approves the transaction.  All ...

Continue Reading

More Fun with Hashed PANs standard

Hashed PANs are a double edged sword.  Hashes seem to be coming up quite a bit lately, and in fact there was a question about hashed PANs at the PCI Europe meeting. Luther Martin at Voltage discusses one of the two main issues with hashing, and that is the ability to create rainbow tables whereby you can easily take a known hash value and back your way to the input used to create it.  Granted, one of the issues that exacerbates this for cardholder data is the limited keyspace in which card numbers are valid.  Remember they all start with published six digit BINs, and any number must pass a Luhn check.  But, before we dance on hashing’s grave, let’s ...

Continue Reading

Will PCI Mandate the Use of Data Discovery Tools? standard

The PCI Europe Community meeting was set in the beautiful Marriott in Old Town Prague last week, and even though there were fewer attendees than the meeting in Vegas, there was no shortness of intensity and well researched questions. One individual asked about the use of Data Discovery tools as a mandate to assist in the scoping of PCI assessments.  Imagine as a QSA walking into a customer, running a tool, and knowing EXACTLY the scope of the PCI assessment you need to perform!  There would be little chance that you under- or over-scoped it, and all those little nooks and crannies that scare the bejeebus out of a QSA would be documented right there for review. If you are ...

Continue Reading

Does PTS Apply to ATMs? standard

I’m writing (but not publishing…. Come on folks, it’s 2009…) this from 35,000 feet, somewhere over  the north Atlantic, east of Iceland.  What else am I going to do while sitting in a big, metal recycled air tube hurtling over the surface at speeds never meant for man?  Think and write about security, of course! I’m heading back state-side after a great PCI Europe community meeting.  I didn’t get the final count, but the meeting had just north of 200 attendees.  It seemed smaller than last year, but that could have been the seating arrangement.  One of my favorite sessions is always the PCI Standards Feedback and Q&A Sessions.  This year was no different! While the questions in the US ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!