Categories ArchivesPCI

The Art of the Compensating Control (Part 3) standard

See part 1 here, part 2 here. What a Compensating Control Is Not Compensating controls are not a short cut to compliance. In reality, most compensating controls are actually harder to do and cost more money in the long run than actually fixing or addressing the original issue or vulnerability. Imagine walking into a meeting with a customer that has an open, flat network, with no encryption anywhere to be found (including on their wireless network which is not segmented either) ((While it is not a requirement to segment your network, it does make compliance easier. Usually in this situation, I find a legacy system that cannot be patched or upgraded, but now becomes in scope. Then the conversation about ...

Continue Reading

VeriSign Forrester Webcast standard

Did you miss the super-duper, fantsmoriffic webinar that we did with Forrester? If you were not one of the more than 300 attendees, don’t worry! The webcast was recorded, and can now be viewed online! Check it out at http://www.iian.ibeam.com/events/nrfe001/30288/! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

The Art of the Compensating Control (Part 2) standard

See part 1 here. What a Compensating Control Is In the early years of PCI DSS (and even my experience under the CISP program), the term compensating control was used to describe everything from a legitimate work-around for a security challenge to something that Michael Phelps may have dreamed up while expanding his mind at approximately twenty minutes after four in the afternoon ((Aww… too soon?)). If you are considering a compensating control, you must perform a risk analysis and have a legitimate technological or documented business constraint before you even go to the next step. We will see more of the documented business constraints coming our way for review based on the current economic situation. Just remember the word ...

Continue Reading

The Art of the Compensating Control (Part 1) standard

Few payment security professionals can find a hotter topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort. Sound familiar? I wish I had a tape recorder at every meeting where I heard the phrase, “Don’t worry, we’ll just write up a compensating control for this.” It may not be as great as the twenty-seven minute long video floating around of every single expletive uttered during The Soprano’s legendary run on HBO ((How impressive is twenty-seven minutes? Seriously!)), but I bet I could fill a few podcasts with the audio. Compensating controls are challenging. They often require ...

Continue Reading

Follow-up from PCI Congressional Hearing standard

It’s been a few days now, and the dust is still settling as they say. Anton Chuvakin posted some great thoughts on the hearing, including one that I TOTALLY missed. In Mr. Jones’s ((CMS 7.18. Look it up.)) defense, the site that has the XSS error in it MAY NOT be in scope for PCI depending on where code base lies, but regardless, the vulnerability is inexcusable from a guy talking to Congress about this stuff. I fired the info around to some of our consultants and had a couple of responses of note. James, a Consulting Manager in our group says (I am paraphrasing some of this): The contention that PCI forces retailers to stray from their core competency ...

Continue Reading

The Art of the Compensating Control standard

It’s April, and what does that mean? It’s time for ISSA’s 2009 PCI issue! The feature article for that issue, is The Art of the Compensating Control. You can download this version from the website, even if you are not a member, at http://www.issa.org/Members/Journal.html for the rest of the month. If you are reading this after April 2009 and want a copy, let me know. You readers of the blog are going to get a special treat! The original article was much more casual and entertaining than what we ended up publishing in the Journal. Thom reviewed the first final draft of the article and said that it was much too casual. He was absolutely right. I can’t tell you ...

Continue Reading

For the record, I Love Dave Hogan! standard

I got a few comments yesterday that made me think that some of you have the wrong idea. OK, I admit, the EDI/CIO comment I made yesterday morning was over the top, and as an act of contrition, I will tell you that yesterday I was told not to wear a shiny shirt, suit, or shoes to a particular customer because their CIO didn’t like shiny consultants. My shirt was quite shiny. Something that would have been helpful to know before I packed. DOH. Before I go any further, I do realize this is April Fools Day. What you are about to read is NOT an April Fools joke. To help illustrate that point, you won’t see any backhanded complements ...

Continue Reading

Review of PCI Congressional Hearing standard

If you missed it, you can see a recording here! See what the Twitterverse had to say here by searching for #pcihearing. TONS of coverage on this. First, I am very proud of our congress for putting this hearing together. It is clear how serious this situation is when listening to the prepared, pointed statements read in the beginning. I hope I don’t make anyone upset, but I do giggle a little bit when non-techie folks trip up on techie terms. I certainly expect someone would giggle at me if I were reading a statement of detailed medical terms and missed the words. Regardless, huge props for taking the issue on. In the next paragraphs, clicking on the individual’s name ...

Continue Reading

How a Little Push can put you into a Freefall standard

Last week I moderated a panel at a PCI focused dinner in Chicago. Big props to the folks that helped to plan this (Alex, Melissa, Ben, and Diana from VeriSign), the event was great! The panel participants were heavy hitters from the industry including Anton Chuvakin from Qualys, Davi Ottenheimer from Arcsite, and Bill Cook from Wildman Harrold. Anton has a few great points from the event that he has posted on his blog here. We had a fantastic discussion, and there were even great discussions among the panelists that revealed conflicting opinions. We had so much discussion that we were unable to go through the entire list of questions I had prepared. I had thirteen, and we only were ...

Continue Reading

Guest Post: Compliant Compromise standard

The following is a guest post by Frank Castaneira. Frank is a Sr. Consulting Manager inside the Global Security Consulting practice at VeriSign. Matt Hines recently wrote about the PCI Council discussions on applicability and adequacy of the PCI Standard given reported breaches of validated entities such as Hannaford and Heartland. Branden recently discussed the PCI Council conversation on March 6. Branden suggested greater visibility by the Council into the incident response process. This posting amplifies on that solution and provides other perspectives. The discussions mentioned in Mr. Hines article focused on the QSA (Qualified Security Assessor) posture that an annual on-site assessment is relevant only for that point in time. Although, I recognize the issue (point in time), my ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!