PCI | Branden R. Williams, Business Security Specialist

The Top 8 Requirements Your Assessor Misses standard

The QSA community at large received the May edition of the assessor update from the council on Friday. In it, Troy Leach is giving us hints on which requirements assessors are messing up the most. Keep in mind, he is speaking about this from the Quality Assurance process, and not from watching assessors conduct assessments. The reason I make this distinction is that your assessor COULD be evaluating the criteria mentioned and not documenting it properly in the ROC. Here ya go, here’s the top 8 (from the May 2009 Assessor Update) copied right from the update. Requirement 2.2.4 – “For a sample of components…”, often there is no sampling defined or components listed Requirement 3.2 – Few if any ...

Do Data Breach Laws Push Compliance? standard

CIO Australia recently posted an article suggesting that data breach notification laws drive compliance. Bob Russo is quoted quite a bit in the article, but there is a part that is missing. It’s not Bob’s fault, he is speaking from the Council’s perspective. He hit the bullseye. But what Bob does not say is what is really driving compliance. I’ve been doing PCI/CISP compliance work since 2004, not quite two years AFTER the September 26, 2002 filing of California’s SB 1386–the first State Data Breach Law. Unfortunately, many companies did not pay too much attention to it until several years later when other states started passing similar laws, especially when Minnesota passed the Plastic Card Security Act in 2007. Being ...

Compliance & Security Diverge on Private Label Cards standard

Here’s one of those areas where security and compliance stare at each other angrily across the table instead of skipping down the trail together singing, “Tra-la-la.” I was speaking to a friend of mine at a birthday party about this because guys don’t stay inside for the Hannah Montana makeover, we go outside and talk about beer, sports, and information security. OK, SOME of us do that. So what if I like my toes painted? Anyway, he was telling me that his company was taking the stance that private label cards, or those cards that have the company name on them instead of a Visa, MasterCard, American Express, Discover, or JCB logo on them, should be included in their PCI ...

Debating PCI, and the Story of the Unresearched Position standard

Do you remember debate or speech class? I remember having a professor assign me the counterpoint position on an issue in which I didn’t agree. I always thought that the other guy had it easy if our beliefs were the same because he already believed what he was saying. I recently read an article by Ariel Silverstone in CSO Magazine entitled “Where PCI DSS Still Falls Short (and How to Make it Better)” in which Ariel seems to have been put in a similar situation. Either she was asked to publish something (anything), or asked to specifically publish something on PCI; regardless, she should have spent a little bit more time on research than she did. After reading her positions, ...

The Legal Risk around PCI standard

David Navetta published a fantastic article in this month’s ISSA Journal entitled, “Who is Minding the Legal Risk around PCI” that takes a deep dive into the legal ramifications of not complying with the standard. If you do not get the journal, first off, go join the ISSA! It comes free with your membership! In the meantime, jump over to David’s blog to read the article! Towards the latter part of the article, David lays out two very real risks that I have discussed many times in this blog such as QSA shopping, rubber stamping, and scoping. Enjoy, and have a great weekend! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO ...

Join me for a Compliance Week webcast! standard

What are you doing at 2pm eastern today? If you have that annoying budget meeting, or maybe one of those late lunches with the group of folks that bug you, how about joining me for a webcast on PCI? Click here to register, and I’ll be on Twitter during the event if you guys want to interact! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

An alternative to PCI standard

PCI is still a hotly debated topic nearly four and a half years after its initial release on December 15, 2004. You didn’t have to visit too many after hours parties or exhibitors at RSA to see that. Most of the criticism of PCI comes from people who really don’t understand it, or understand how to use it to their advantage. And those people fall into two categories themselves; those who are green to PCI and are overwhelmed, and those who love their soap box. Those in the former bucket just need time to get up to speed. PCI, like Rome, was not built overnight, and it requires weeks of study to fully grasp how it will affect your environment. ...

The Art of the Compensating Control (Part 6, The Finale) standard

See part 1 here, part 2 here, part 3 here, part 4 here, part 5 here. Go Forth and Compensate! What a pretty mural we have painted over the last several pages! Good compensating controls are the result of a marriage between art and science. We’ve discussed what compensating controls are, what they are not, some funny examples of how to go wrong, and three solid scenarios from which we created good controls. Compensating controls are not the golden parachute of compliance initiatives. They require work to build effective ones that will pass the scrutiny of both a QSA and an Acquiring Bank (or card brand). Rarely do they yield lower cost and effort than simply meeting the original requirement. ...

The Art of the Compensating Control (Part 5) standard

See part 1 here, part 2 here, part 3 here, part 4 here. How to Create a Good Compensating Control We’ve spent quite a bit of time setting this section up. We talked about what Compensating Controls are, what they are not, and some of the best mis-guided attempts to create them. Before we discuss the examples, please remember that these examples should be used for illustrative purposes only. I have over simplified the scenarios for brevity, and things are rarely as simple in the corporate world. Ultimately, compensating controls must be approved first by a QSA, or barring that, your Acquiring Bank. I know I don’t like it when someone slaps some random article about PCI on me during ...

The Art of the Compensating Control (Part 4) Tax day special! standard

See part 1 here, part 2 here, part 3 here. The Funniest Controls that You Didn’t Design Some of my most cherished stories and experiences come from customers and vendors that had the right intentions, but never seemed to follow the basic doctrines listed above on how good compensating controls are made ((By the way, if you read this and think, ‘Hey! He is talking about ME!?’, I’m not. I promise.)). During my career I did some IT auditing for a bank that was owned by my employer. I know the drill of responding to auditor findings. They usually start with a meeting bringing all the key stakeholders together, a spreadsheet listing all the findings, and lots of grumbling about ...

Categories ArchivesPCI