Categories ArchivesPCI

PCI DSS Feedback 2012 standard

The PCI Security Standards Council released a statement this morning outlining some of the highlights from the feedback period we just finished this year as part of the PCI DSS lifecycle. If you are going to be at the community meeting next week (or later in October for EU), I strongly suggest you attend the session on the feedback and potential proposed changes to the standard (if they have the ability to turn that around this quickly). Here are a couple of notes from my analysis (note some of the wording is similar to the press release, go read it): Scoping is still an issue. I think we all agree that at some point the framers of PCI DSS will ...

Continue Reading

PCI Hacks Going Global standard

Looks like non-US based merchants can start to shake in their boots a bit. I know this isn’t the first one outside the US (and not the biggest), but it seems like all we hear about are the ones here at home. So how big was this one? According to Wired, pretty big. 500K cards is not 95 million, but it’s certainly not a handful either. What I find interesting about this particular hack is not the number of cards or the source of the hack, but the fact that it wasn’t really advanced and much different from the majority of the small merchant breaches here in the US. The smoking gun comes from paragraph three: The company’s network used ...

Continue Reading

Payments and NFC Still Under Fire standard

After spending a few days around Security Week (BlackHat, Defcon, BSidesLV) last week, I was constantly amazed at the excitement and innovation around security. Unfortunately, most of this focused on the attack side, but nevertheless, it will drive security thinking forward (which is what we want!). Several researchers focused on Near Field Communication (NFC) implementations as this technology is quickly becoming embedded in many mobile devices. While you may not be an NFC expert, you certainly have used NFC before. Think about any time you have used your credit card in a contactless way, paid for transport in London with an Oyster card, or even started your new automobile, you are using a form of NFC. Businesses want NFC because ...

Continue Reading

Semantics and Compliance standard

I was sitting in a meeting earlier this year and someone me asked a “quick” question about PCI DSS. Always happy to oblige, I listened to the person go through a very intricate discussion and setup for this question (as in, on the order of just over five minutes) to finally get to the punchline, “so is this out of scope?” I’ve been in those discussions before, and at times the systems were so complex that they warranted a five-plus minute review in order to set them up. In this case the majority of the discussion was around specific semantics and nuances in interpretation that could cause a particularly problematic system to be shifted off of this compliance managers desk. ...

Continue Reading

Does EMV Fix SMB Compliance? standard

By now you probably know that EMV is coming to the US. Some say it is long overdue, others believe it will only shift fraud to other methods. But what if EMV adoption would solve the PCI issues for small and medium businesses? That could be a really interesting case study to see how it applies as small businesses are typically caught unawares when bad things happen. As with all things, it may come down to acceptance more than anything else. Imagine for a moment if companies did aim to remove PCI DSS assessment activities from their annual audit schedule and converted all of their terminals to support EMV. Unless you and I as consumers get cards with a chip ...

Continue Reading

Hospitality Still in the Crosshairs standard

With all the news and information we are pummeled with daily, it’s hard to ignore the significance of cyber security and its role in protecting enterprises and individuals. It’s even pretty easy to ignore until it happens to you. I have written and spoken about the challenges in the hospitality industry before, and they remain a big target for a few big reasons. Many hotels, even ones with a big-brand name on the facade, are owned and operated by individual companies and investors. Joe’s Hotel Group buys the building, hires the employees, and plugs into GiantHotelChain’s reservation and reward system. Many hotels are wide-reaching properties where everywhere you go you have an opportunity to perform a transaction (pay TV, internet, ...

Continue Reading

It’s Board of Advisors time! standard

Yep, this week is another fun filled meeting where I’ll load up on all things PCI DSS. While I can’t discuss the topics we will review, what I would like to do is two-fold: Reminder that we are in Phase 6 of the lifecycle for PCI DSS changes. This is the feedback review period that captures all the feedback you dutifully submitted  back in April and allows the Council to mull changes to the standard. Expect an update at the community meetings in your neck of the woods. Ask if there is anything pressing that I should pass along to the Council while in these meetings. Constructive feedback is welcomed, and I’m happy to pass it along. Just leave it ...

Continue Reading

PCI Requirements Review: Service Accounts and 3.6.6 standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! So far we’ve discussed PCI Requirement 4.1 and mobility, Sampling, and Patching & IPS. If you have a requirement you want reviewed, post it here! Today, it’s fun with a very specific interpretation, but I think we can cover this in a way that will be functional in most (if not all) modern setups. Now, on to our submitter: Requirement 3.6.6 – Specifically related to service accounts for applications where a human would have the service account password and the service account can then access the keys. There is are two security controls that we discuss in our critical control checklist that are missing ...

Continue Reading

PCI Requirements Review: Patching & IPS standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about PCI Requirement 4.1 and mobility. If you have a requirement you want reviewed, post it here! Today, it’s fun with interpretation around patch management and IPS. This isn’t a topic I’ve addressed before, but it is something I’ve debated with a customer. Now, on to our anonymous submitter: Some Host Based IPS vendors and QSAs are saying that if a host based IPS product can block any exploits related to a specific Microsoft patch (virtual patching), then the in-scope system does not have that specific patch applied within 30 days. Even if it SPT cc data! Hrm, interesting. A ...

Continue Reading

PCI Requirements Review: Requirement 4.1+Mobility standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about Sampling. If you have a requirement you want reviewed, post it here! Today, it’s all about requirement 4.1 and mobility. There are a couple of elements in play here. I’ve written about PCI DSS and mobility before and given tips on making a mobile application comply with PCI DSS, read this post. Now, on to the reader’s dilemma: Does mobile phone technology fall into [the classification] of public networks? I have ongoing arguments with an acquirer about whether a purpose-built mobile payment device, which they sold to us, can be assessed under SAQ B. The device uses cell phone ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!