Categories ArchivesPCI

MasterCard Offers Incident Response Planning Webinar standard

Requirement 12.10 has been present in all versions of PCI DSS and earlier versions of the CISP standard, yet clearly people either struggle with meeting the requirement or with executing an incident response plan. MasterCard announced yesterday a new, upcoming webcast that delves into the details behind requirement 12.10 in PCI DSS 3.0. It’s free, so go register! In the meantime, I have a few older posts that you might enjoy around incident response. Check them out! The Apple Incident Compliant Compromise (Guest post by Frank Castaneira) Boss, I Think Someone Stole our Customer Data Contracts & PCI (Guest post by David Navetta) Man Up MDs! Enjoy! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses ...

Continue Reading

Would you pay for a PCI DSS 2.0-3.0 class? standard

The PCI Council released a training course on PCI DSS 3.0 (via Security Innovation) dubbed an “Insider’s Guide” to the new standard. The training has a price tag to get access to the materials, and some might deem it a bit hefty considering it is only a 90-minute course. In fairness, the Council is competing with free here as a number of experts have already built, delivered, and recorded courseware for on-demand viewing on these differences. So any price for materials might appear to be “hefty.” Also, don’t forget the Council already released this freely available document which should theoretically cover all of the same materials. Is there overlap with existing training offerings? If you are relatively new to PCI ...

Continue Reading

Subject to PCI DSS? Time for defense! standard

For those of you that have been reading this since it was part of the VeriSign blogging program, you know that my posts tend to follow what is most important in my daily life. Or, if not most important, the loudest thing in my daily life that really needs a comment or two. After joining RSA, I spent quite a bit of time talking about advanced threats, especially after the breach. I also sat on the PCI Board of Advisors during that time, but the reality is that my daily work around information security and what the Board was tackling were very far apart. Given the release of 3.0 and the commentary from that to date, I would still agree ...

Continue Reading

PCI Compliance, 4e! standard

You read that right! The Fourth Edition of the book is now green-lit (pre-order it here), and Anton & I are hard at work bringing you new updates for PCI DSS 3.0, the SAQs, and two new chapters focused entirely on Cloud/Virtualization and Mobile. We expect the book to be out later this year through your favorite channels. Now, this is where YOU come in. We have had such amazing feedback on the book over the years and this is your chance to influence the content. This book is, and always was, for you! If you have suggestions for the book, drop them down in the comments below. We will keep you posted on our progress, and in fact you ...

Continue Reading

Swing and a Miss: Target and the Council Respond standard

I happened upon the Council’s news page today and saw a couple of great attention grabbing headlines entitled, Time for Smartcards and PCI Council Responds to Critics. I found both of these interesting given the landscape of breaches we have seen over the last couple of months, but I found that both missed key points in their communication. Let’s start with the Council’s response. First, we should be clear. What Russo is saying is absolutely accurate. The majority of breaches that happen, including the Target one, happen due to basic security failures that are already covered in the standard. Go take a look at requirement 8.3 and 8.5.6.b which directly address the latest disclosures surrounding the event. I also agree ...

Continue Reading

Data Discovery, It’s A Thing! standard

Those of you who have been following me for a while know that I am a proponent of data discovery tools, and Data Loss Prevention tools where appropriate. I partnered with one while running the consulting business at VeriSign, and worked with the teams at RSA that developed their product. I even talked about finding the data as the security equivalent to Dave Ramsey’s first Baby Step for security. It’s becoming even more critical with PCI DSS 3.0 as data flow maps must be maintained and validated (to some degree). At Sysnet, we have tools for doing all kinds of scanning including data discovery scans. One of the challenges with most of the DLP solutions available is that the vendor ...

Continue Reading

What the Leaked Target PIN Data Actually Means for You standard

Before you read this, consider checking out my first post on the Target breach. Payment systems are complex. If you have ever assessed one or looked under the curtains going all the way back to the issuer, you know this. So it is not a surprise that there is a ton of misinformation flying around about the PIN data that Target admitted was taken. Before we get to far down the road here, I want to review a few items to make sure we’re all on the same page. First, let’s talk about track data. The type of data in the magstripe on the back of your card is sensitive, which is why PCI Requirement 3.2 forbids storing it. I’ve ...

Continue Reading

I Thought We Were Done With These? standard

Well, it appears that the bad guys hit another giant retailer this year as Target now reports a massive breach. There are a few items here that are interesting to note. First, we are talking about magnetic stripe and a massive volume of cards in a short period of time. This would indicate some kind of software compromise (read, not an attached skimmer) that lead to the capture of stripe or PIN data. Given that there is a concern about PIN, I would guess that the compromise was either in the POS terminal or in the actual payment terminal itself where the PIN is entered. Breaches of this magnitude obviously call their compliance status in question, and the devil will ...

Continue Reading

Missing Mobile is Like Watching the Puck Fly By standard

Thanks to Andrew Hay for a retweet that I happened upon last night! Keli at Bluebox Security did a post entitled PCI DSS Ignoring Mobile Security is Irresponsible that discusses some of the implications of the Council’s lack of guidance and standards around this emerged (it was emerging five years ago) technology. While many security professionals agree that leaving mobile problems alone to fester is irresponsible and doesn’t do any service to the merchant implementing it, I wanted to take a slightly different take. To me, a better metaphor describing the situation is someone holding on to their VHS player because they might find that one tape of Dirty Dancing they bought twenty-five years ago. Everyone loves that scene where ...

Continue Reading

PCI DSS 3.0: The Good, The Bad, The Confusing standard

If you have not grabbed your copy yet (or had one emailed to you, as it were), go here to get your very own. As we expected, there are a number of important changes that companies will be dealing with over the next several months as they begin to prepare for PCI DSS 3.0. In this post, I wanted to do a quick highlight of some of the more critical changes now that they are public. If you want to read some of my earlier reservations, they all stand with the final version. Let’s dive in. Periodics and shoulds: Yes, these are now a massive shift in the Council’s position toward ambiguity in the standard. Periodic now appears 20 times ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!