PCI | Branden R. Williams, Business Security Specialist

Bob Carr: “QSAs let us down.” And Things Never Heard by a QSA standard

Bob Carr was recently quoted in a Computerworld article saying that QSAs let [Heartland] down. Of course, he is not referring to his most RECENT QSA, but I’m sure that was an editorial change to make the story more interesting. The article is a fantastic read, but also slightly humorous in nature. I’m going to leave Heartland’s situation out of this post, and look at how other companies that have dealt with breaches. If you want to see what others are saying, check Rich Mogul, Mike Rothman, and Andy Willingham. Nearly every company I have worked with suddenly “Gets Religion” after a breach. Prior to it, security is not top of mind, therefore things like PCI become burdensome as opposed ...

Visa Sets Payment Application Security Mandates standard

As many of us in the industry had suspected, Visa has delayed its payment application security mandates two years to 2010 (newly boarded merchants) and 2012 (all merchants). The information was officially released on June 24, but I certainly did not see any public reference to it until recently. This is rumored to be largely in response to a low supply and high demand issue in the fuel industry. So those of you that were dealing with unrealistic deadlines, you’ve got a reprieve! Keep pushing though, don’t be one of those guys limping in at the eleventh hour! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why ...

Featured on the SecureLexicon Podcast standard

Steven Fox, blogger for CSO Online and fellow columnist in the ISSA Journal, interviewed me for his Art of War Podcast where I discuss the parallels between Sun Tzu’s teachings and PCI Compliance. Of the podcasts I’ve done, this one was particularly fun for me because I had to grab my Art of War book off the shelf and study up for it! Sun Tzu’s teachings apply to PCI and Information Security (it is a war, people) when you read his book in the light of an information security perspective. Go check out Steven’s column in the Journal, his excellent podcast, and Sun Tzu’s Art of War! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses ...

How PCI Can Ruin You standard

No, this is not one of those posts poo-pooing PCI because it is the popular thing to do. But after my marathon writing sessions working on the book, I started to think about all the customers that I had visited over the years, and all the problems I have seen, and how even today the problems that come up are essentially caused by common root issues. BTW, I’m hoping you guys all LOVE the case studies. Some of you readers might even be business owners or playing a part in them! That was, by far, my favorite part of writing the book. Maybe I’ll try some bad fiction writing next? (FAIL) Anyway, one of the things that the information security ...

The Simplicity of PCI, and the best way to complicate it! standard

OK folks, bring on the love. Ready? I’m going to stick my neck way out there. PCI is easy. *GASP* OK, taking a company that ignored security (or only focused on one particular element of a good security program) to compliance is hard, painful, and will result in lots of kicking and screaming and other tantrum like actions. Why? See this post. But take PCI DSS on the surface. It’s prescriptive (potentially overly so in some cases), it is based on a good, common set of security practices that, quite frankly, you should already be doing, and its impact to your organization can be limited dramatically depending on how you approach it. If you look at the high level twelve ...

MasterCard Fines Start NOW standard

On Monday, I told you all about a MasterCard fine schedule but I was unsure on when it was going to start. Well, as it turns out Level 2 and 3 merchants are being fined NOW, not sometime after the December 2010 date. That’s right, some Level 2 merchants have already received their first $25K fine from MasterCard under their new fine program. Apparently, that’s how many of the acquirer’s found out about the program! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

MasterCard to Fine Merchants for Non Compliance standard

OK, SOMEONE out there has some explaining to do. Like, right now. Who poked MasterCard hard enough to wake them from hibernation? When it comes to actions against merchants, MasterCard has typically been much quieter than Visa. We’ve had several customers come to us with new fines from MasterCard that will begin sometime in the next 18-21 months beginning NOW. Why the ambiguity? None of our customers seem to have a date when the fines start! This is a huge assumption here, but I will suggest that the fines would start after the 2010 deadlines for Level 1 & 2 merchants. Revisiting those deadlines, Level 1 & 2 merchants must produce a Report on Compliance from a QSA by December ...

Why PCI DSS is a good thing for YOU! standard

You know, it’s kinda funny. Everywhere I go, I see how polarizing PCI DSS is. If you deal with PCI often, think about your interactions with others when discussing PCI. This is a response you have probably never heard: “Well, that PCI thing is OH-KAY. I’m not really thrilled one way or the other…” More likely it was something like “That F&*@ing PCI DSS! I hate it!” or “God bless those PCI DSS Overlords for giving me a stick to whip my company into shape!” I tend to hear the former much more than the latter, but that demonstrates the wide difference in corporate cultures faced with PCI DSS. Those of you screaming and complaining about PCI should stop for ...

Requirement 11.2 Follies standard

Why is Requirement 11.2 one of the most failed by merchants and service providers alike? Requirement 11.2 has shown up here a few times, but after looking back, I never really explored the issues in detail. Those who have been unfortunate enough to attend one of my sessions where this topic came up know where you can make a mistake. Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external. Scope reduction techniques like segmentation can do wonders for limiting what needs to be scanned, but makes the biggest impact internally. In one of my case studies, I talk about a customer that reduced the number of in-scope systems to less than 1% of ...

Webcast, on July 7, Maintaining PCI Compliance! standard

Please join me on July 7 for an informative webcast on Maintaining PCI Compliance! To register or attend, please go to: http://www.brighttalk.com/webcasts/4431/attend. Now that Level I merchants have undergone a few annual Payment Card Industry (PCI) assessments (and Level 2 merchants are soon to be doing the same), they are addressing the realization that a mature, sustainable compliance program requires more than once-a-year rallying to prepare for, participate in, and pass an assessment. Daily operational focus and ongoing effort are vital to protect investments in compliance, manage risk, and minimize the business disruptions and costs associated with achieving and demonstrating compliance year after year. This presentation discusses best practices for building a compliance program that can be supported and maintained ...

Categories ArchivesPCI