Categories ArchivesPCI

The Dangers of Hindsight standard

Bob Carr gets it. He had to suffer through one of the largest credit card breaches on record to get there, but he gets it. Digital Transactions Magazine published an article featuring Carr entitled Don’t Hire a QSA by Seeking the Lowest Bid, Warns Heartland’s Carr.  In it, Carr painfully recalls how his previous assessors did not provide him much value, and how the low-cost bid rarely ever the best bid.  If you read his article, he doesn’t specifically argue that costs should start escalating quickly, but rather he argues that companies should spend the time to get a QSA that does a thorough job, and is not motivated to get in the door, go as quick as possible, and ...

Continue Reading

Getting the Most from your QSA standard

Bill Brenner of CIO magazine published a feature article on Wednesday entitled “4 Ways to Get the Most From Your PCI QSAs” where he picks four main things to focus on when using the services of a QSA.  VeriSign published a whitepaper last year reviewing several items to consider when shopping for a QSA, all of which tied back to Brenner’s recommendations. Brenner asserts that the four ways to get more from your QSA are: Choose your vendor wisely. PCI compliance is probably an important project to your organization, so be sure you find a QSA that will make your project successful.  Don’t hastily throw a solution together, treat it like the strategic project it is (and then treat it ...

Continue Reading

Visa Makes Registration Easier! standard

Are you a service provider frustrated with the steps you have to go through to become listed on Visa’s global list of PCI DSS validated service providers?  The process of getting listed when you are not a member or a direct agent of a member seems clouded and painful, until now! Visa recently added a very detailed Third-Party Agent (TPA) section to the Risk Management section of their website that details exactly what needs to be done to be listed on the site.  If that were not enough, there is a fantastic FAQ in PDF form that you can take with you wherever you go. As part of this change, Visa eliminated all of the old classifications like Independent Sales ...

Continue Reading

Blame MBAs for PCI Remediation Costs! standard

Do you ever wonder how we got into this situation?  Where merchants are facing tremendous fines for non-compliance, companies are being compromised by hackers here and overseas, and data security programs seem to be non-functional at best (if not non-existant)? I’ll tell you how… MBAs.  Yep, those pesky folks that learn the inner workings of how to take advantage of numbers to best increase their own personal compensation? Yes, another MBA dog-pile.  And I feel qualified to pick on my MBA brethren because I are one. All seriousness aside (did I do that right?), let’s think about how payment systems started inside retailers.  This is a classic example of the Build vs. Buy problem in every single MBA finance class.  ...

Continue Reading

Speaking at VMWorld! standard

Are you at the VMWorld show?  If so, be sure to attend my panel discussion entitled: “Virtualization and Compliance: The Auditor’s Perspective” today at 11:30am in room 310!  Joining me on the panel will be Nigel Tranter, Partner at PSC, Ray Zadjmool, Principal Consultant at Tevora Business Soltions, and Bill Hau, Vice President at Foundstone.  The panel is moderated by Charu Chaubal of VMWare. Hope to see you there! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

PCI SSC Releases Skimming Prevention Tips standard

Skimming (in the credit card world) is commonly defined as capturing magnetic stripe data during the normal payment process by swiping it through an external (or even inline) device before or after the authorization swipe.  External devices are commonly found in stores where a payment instrument is presented, and someone takes the card away from view to process, like at a restaurant.  Inline skimming occurs where the cardholder is present during the swiping, and usually involves tampered swipe devices. The PCI Security Standards Council recently released an EXCELLENT guide with tips on preventing skimming, with sample forms that you can use to track your progress.  Most of the skimming techniques employed can be addressed with physical inspection, something with which ...

Continue Reading

The End of PIN-Debit for Fuel? standard

PIN-based debit authorization rates have recently increased dramatically, some merchants complaining that their auth rates have increased up to four times their previous rate.  In some armchair research, I learned that Interlink (Visa) and Pulse (Discover) have removed interchange caps on transactions.  For most merchants, it is still cheaper to process a PIN-Based Debit transaction than a credit card transaction (on a per transaction basis), but for others it is about the same.  Or at least the difference in cost is so minimal that their volumes don’t force an advantage one way or the other. Visa is enforcing PIN Entry Device (PED) mandates, effective on July 1, 2010, whereby all PEDs must comply with the PCI PED Standard.  For retailers ...

Continue Reading

Splain it, Brando!, and Finding your Data standard

On Thursday, I threw out a blog post which I hope to be the start of a series playing on Dave Ramsey’s style for financial peace, and realized I played the role of a consultant PERFECTLY (just like Marshall Eriksen might LAWYER you). SK pointed that out for me when he asks me to elaborate. In a back to school fashion, imagine this conversation as played through your teenage daughter’s cell phone. “I was all, ‘Just find the data!’, and he was all, ‘Whatever.'” I am so in touch with today’s youth. SK brought up a good point.  Let’s say you are working with an enterprise that does not have any of the following: 1) a working DLP solution, 2) ...

Continue Reading

Dave Ramsey Applied to Security, Baby Step #1 standard

I’ve been on a Dave Ramsey kick lately.  I like his message and his concept of declaring war on debt.  One of his mantras can save people TONS of cash if they would just use basic things they learned in school. “Do the math!” Everyone out there has a brother-in-law, church buddy, or friend of a friend who is “a finance guy.”  We tend to listen to people we consider experts without questioning their motives, simply because we don’t believe we can comprehend the complexity of the question enough to figure the answer out ourselves. For example, several years ago I went to a car dealership to buy my wife a new car.  I had just recently graduated with my ...

Continue Reading

New Visa Mandates are NON-US/Canada! standard

Well, I was waiting to see if anyone would catch it, and unfortunately it looks like a couple of industries struggling with Visa’s Payment Application Mandates are not going to get a reprieve. Earlier this month, I posted about some new Visa Payment Application Mandates.  What I didn’t drop into the blog post was that Visa made sure this new mandate did not supersede their previous mandate, meaning that US and Canada merchants do not get a two year reprieve and that these are now GLOBAL mandates.  Non US/Canada merchants now have a reason to get moving and deploy up to date payment applications! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!