Categories ArchivesPCI

EMV vs the UPT, Can We Fix the #FAIL? standard

Update Nov 4, 2013: I was in the UK last week and it looks like the Underground has fixed their terminals to allow the use of the chip at a UPT! This is great news. My guess is there is some upper limit to what can be accepted without signature and it is now implemented. Well, it has struck again. Remember how I told you guys about some of my EMV experiences now that I have a card with the chip in it? Well, it struck again… but not in the place y0u might think! I’m here in Salt Lake City, Utah, and I decided to take advantage of the lovely public transit (UTA) by hopping on the light rail ...

Continue Reading

PCI DSS and the Partial Vacuum standard

Earlier this week I posted some thoughts I had about the newly released draft. Unfortunately, I couldn’t give you guys the actual analysis that both I and folks in my company performed (though, if you become a customer of my company, and are already a PO I am certain we can present something to you). Why? Because the Council still is treating this as a pay-to-play community without thinking about the broader impact to the ecosystem. The folks who frame the standard are some smart, experienced people. I’ve met and worked with all of them in varying capacities, and their job is incredibly challenging while being completely thankless. If you think about how things work in their world, they are ...

Continue Reading

Managing Vulnerabilities to Closure standard

Edit: Merge.io is no longer, however, will keep this up as part of the discussion around vulnerability management. I’ve been known to say that vulnerability detection is easy—it’s vulnerability management that’s hard. There are too many tools available today that can tell you everything that is wrong with your security posture. The real work comes in finding the root cause of the issue, permanently eradicating it from your environment (as in changing configuration servers, patching gold builds, dealing with sleeping physical or virtual instances), and validating to everyone who wants to know that you were successful in doing so. Time and time again, my customers complain about the challenges associated with getting clean vulnerability scans. In fact, that might be ...

Continue Reading

First Impressions of the PCI DSS 3.0 Draft standard

OK folks, if you are a participating organization, or some other kind of stakeholder, you should now be able to grab the latest draft of the PCI DSS for the upcoming 3.0 revision. If you are not some kind of stakeholder, you can still get a copy but you have to be a little more sneaky. I have found copies outside already that are available if you know what to do. Now, before someone from the Council get’s all worried, I’m not at liberty to actually disclose what is inside PCI DSS 3.0. Even though I was given multiple copies outside of my current relationship with the Council, I’m going to stick by my agreement and only talk in general ...

Continue Reading

Mobile Payments Acceptance Security Best Practices Updated standard

Visa has a pretty extensive document library of stuff to help folks cope with some of the threats in the system, and yesterday they updated their Visa Best Practice, Mobile Payments Acceptance Solutions to v3.0. While these are still considered best practices, they are a great starting point for anyone with a mobile payment component to their business. One of my more popular posts is How to Make a Mobile Payment App Comply with PCI DSS, so I know many of you are looking at this. Take this in combination with the Starbucks app, and there is lots of interest. Keep in mind, my original post was really talking about the bare minimum as a way to get around the ...

Continue Reading

Visa Updates Memory-Parsing Malware Warning standard

Visa released a public update to their Memory-Parsing Malware Warning yesterday bringing forward signatures and IPs from their original alert in April based on recent activity. This very effective technique can present itself leveraging commonly used debugging techniques for software. Essentially, this malware will access a few readily available routines to hook into the memory in a way that allows them to access and export full track data. So all of you folks who told QSAs like me this would never happen in a million years (this was a constant conversation from 2004 to 2009), baZINGA. Now that we have bazinga’d, let’s focus on how to prevent this from happening. Remember that post I did a while back about the ...

Continue Reading

Hurry Up and Wait, PCI DSS 3.0 standard

The PCI Council announced some highlights to the upcoming changes to PCI DSS 3.0. Here’s an article from TechTarget with comments from Bob & Troy that you might want to check out as well. The Council’s press release and available documentation does give us some insight into what they are thinking with respect to the changes, but as is with most things PCI, the devil will definitely be in the details. Based on the doc, here is a quick good/questionable list of these changes: The Good: Scoping is always an issue with PCI DSS, and now there is a formal requirement to maintain an inventory of system components that are in scope. Frankly, I don’t know how you could manage ...

Continue Reading

The Art of the Interview standard

Yes, I know. There are some cobwebs around here. Don’t worry, I’m working on clearing those out. I’ve finally taken a position with a company and have been buried with all kinds of great stuff. More on this soon! But in the meantime, I found an article in the ISACA Journal from Tommie Singleton entitled, “What Every IT Auditor Should Know About Using Inquiry to Gather Evidence.” If you are in the information security business and have to deal with assessing or auditing, do yourself a favor and take ten minutes to read this article. This technique is what separates the pros from the newbs in our industry. If you have worked with me in the past, you probably remember ...

Continue Reading

Why 2013 is a Pivotal Year for PCI DSS standard

While I’ve been neck deep in Rails 3 and Paypal integrations (hint, it sucks if you just want to do a complete outsource) I took a few minutes to think about the impact that PCI DSS had on my architectural decision. I actually took the advice I give freely which is to completely outsource my payments for this small side project I am working on. Just like most businesses, I have come to hate credit cards—yet, as an individual I depend on them every single day. But we’re now in 2013, and it’s not just the ninth anniversary of PCI DSS with the fourth revision of the original 1.0 version. It’s the year of mobile POS (mPOS). Why, just this ...

Continue Reading

Adventures in Rails standard

It has been quite a while since I did any hardcore coding. Since that time, I have dabbled in various web projects, but programmers who don’t practice tend to get stuck in ruts. Most of the time, I would use my skills to solve small problems using methods and technologies I knew worked. If you want examples of that, go check out Brando Labs. Why do I continually pull tools like Perl, PHP, sed, Bash, and Python out to solve problems? Because I know how they work, and the learning curve to get back into the swing of things is relatively shallow. Back in the Stone days, I ended up taking a week long Java class that had me coding ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!