Categories ArchivesPCI

The Gotchas of EMV for the US Consumer standard

Update Nov 4, 2013: I was in the UK last week and it looks like the Underground has fixed their terminals to allow the use of the chip at a UPT! This is great news. My guess is there is some upper limit to what can be accepted without signature and it is now implemented. Some of you may know that I spent a little over a week on vacation with my wife traipsing through Europe this month. And even though I was constantly yelled at for walking too fast or running to check out some grey squirrel (they are tan here in the US), we had a fabulous time. We had a few hitches in our travels as any ...

Continue Reading

A few tips for getting ahead of PCI Compliance standard

The great guys at Tripwire found me outside of the bookstore at RSA Conference this year and wanted to have a quick chat about PCI Compliance! Check out the video below for a few tips that might be helpful for you as you continue your way down this journey. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

PCI SSC Releases Cloud Guidance standard

It looks like it’s been a busy couple of weeks for the Council! We saw their release of the eCommerce guidelines, which had some good nuggets while missing the key point of understanding the contracting process for scoping. Now we have the release of the Cloud Guidance, the latest SIG to conclude and publish a report. Read this post, then check out StorefrontBacktalk’s post, then go download the document. First, let’s highlight the good stuff. There are some great charts that attempt to give examples on how responsibilities might be allocated depending on your setup. Go through these as a benchmark, but instead of taking their defaults as gospel, validate them with your CSP using Appendix C. They reference the ...

Continue Reading

PCI Releases eCommerce Guidelines, READ THIS FIRST! standard

This week saw the release of the new PCI DSS 2.0 eCommerce Guidelines, one of the latest work products from a Special Interest Group in the PCI Community. Before you go clicking on the links above, there are a few things I wanted to outline for you here. First, remember that this is a GUIDANCE document, and is not an official extension of PCI DSS. That said, there is some valuable things in here to consider as well as a few misleading statements that I wanted to comment on. Keep in mind, I am not an official mouthpiece of the Council, but I’ve been involved in the community for a long time. I have submitted my feedback to the Council ...

Continue Reading

The CNP Fraud Cliff standard

It seems like we’ve heard the word “cliff” overused recently to describe a number of doom and gloom situations from an HBR article describing Novartis’s “Patent Cliff” to the impending “Fiscal Cliff” here in the US. Well, since cliff talk sounds like fun (and includes other fun words like crag, precipice, and aerie), I thought I’d discuss another impending cliff here in the US that is only a few years away. This cliff shows up as a direct result of the deployment of EMV, and we’ve seen it in many other locales. It’s the Card-Not-Present (CNP) fraud cliff. Earlier this year, King (2012) released a compilation of information discussing Chip and PIN’s impact to fraud in a number of global ...

Continue Reading

The Biggest Thing The PCI Council Can Do standard

The PCI Council has been pretty influential in our lives since its inception on September 7, 2006. They were handed control of the PCI Data Security Standard and have turned it into a cascading group of standards that govern (or recommend controls) for nearly every aspect of payment acceptance and processing. So it almost seems like this PCI problem is sort of solved, doesn’t it? When you look at the PCI DSS ecosystem, many of the big rocks have already been addressed. This has some interesting side effects, one of which is a camp of merchants that have been hounded to get compliant (Levels 1-3) and a mass of merchants that have no clue about PCI DSS until they are ...

Continue Reading

PCI Council Releases Risk Assessment Guidelines standard

The PCI Security Standards Council announced today a new set of guidelines for risk assessments, as output from one of the major Special Interest Groups selected by the Participating Organizations in 2011. This topic is one I have written about before, and in fact it was one of the SIGs that I voted for. I’ve been through the output and I must say, I don’t see it as any different from any other risk guidance out there. It’s fairly comprehensive when it comes to listing common risk methodologies, it gives some sample frameworks and processes, and aims to give some clarity to the larger 12.1.2 subrequirement of PCI DSS. As with most risk-related topics, you will have people hailing its ...

Continue Reading

PCI Compliance Book Giveaway! standard

OK folks, our PCI Compliance book has been out for a couple of months now, and Anton & I thought it would be fun to give a way a couple of copies with a contest! We have assembled a group of three independent judges that will take a whittled down list and pick winners for each competition. The winner will receive a free, signed copy of the book! So, on to the first contest. Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey anything goes view. We want to take a compliance-friendly, practitioners line. But we’ve all been in those meetings when you look at a ...

Continue Reading

On Whitelisting ASVs standard

This topic has made the rounds again—both due to the community meetings happening over the last four weeks and with some customer discussions I became involved in. Essentially, the issue is this. ASVs need the ability to scan through perimeter defenses like IPS and companies being scanned want to showcase their defenses such that they activate (like they should) upon a scan. Both groups have valid points. The ASV is following the program guide. In order to provide passing scans they must be able to scan through perimeter defenses to the actual systems to generate an accurate vulnerability report. Having a scan instantly blocked doesn’t necessarily eliminate the possibility that a vulnerability could be exploited, it just stops that scan’s ...

Continue Reading

Slow Down Patching? standard

The whole discussion around patching and vulnerability management is a big problem in general, but typically exacerbated by compliance initiatives like PCI DSS. Companies want to be secure, in general, but they have different risk procedures that can change the manner in which they do things like patching or how they lock down desktop controls. A good friend of mine turned me on to a presentation that happened at the San Diego ToorCon this past weekend that I am curious about. The abstract pushes us into dangerous territory, that of interpretation of QSAs (something we have often chatted about here). In the abstract, the presenter takes the opinion that rushing to patch is undesirable (potentially agree) and that the language ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!