Categories ArchivesPCI

Operation Swiper (No Swiping!) and EMV Migrations standard

Last week we saw a major indictment of 111 individuals from an “identity theft operation” based in Queens, NY. I suppose we will learn more details as the prosecutors make their case, but from the original reads it looks more like a counterfeit credit card operation versus a full identity theft operation. One key difference between the two is someone using your identity to open new lines of credit as opposed to just capturing your card data and making a duplicate to go on a shopping spree. Many are now citing this case as a specific reason to get moving on their widescale EMV adoption. I’ve already discussed MasterCard’s and Visa’s thoughts, and would agree on principal that an EMV ...

Continue Reading

A Conversation with MasterCard standard

And finally, my conversation with John Verdeschi, Senior Business Leader, Payment Systems Integrity will wrap up my interviews and posts from the PCI Community Meeting that happened two weeks ago in Scottsdale, AZ. MasterCard is widely known as a major influence in the payment industry and is the number two player in the market behind Visa. If you have ever had to hire an Approved Scan Vendor (ASV) or filled out a Self-Assessment Questionnaire (SAQ), you can thank MasterCard as both of those items are largely distilled from their Site Data Protection (SDP) program. One of the first things that I had to ask about was how MasterCard’s new PCI DSS Risk-Based Approach framework compared to Visa’s Technology Innovation Program ...

Continue Reading

A Conversation with Visa standard

Wednesday was a busy day for me at the Community meeting. In between sessions, I spent thirty minutes with Eduardo Perez, head of global payment system security, Tia Ilori, business leader, U.S. payment system risk, and Ingrid Beierly, business leader, fraud control & investigations from Visa. Visa is the largest payment brand and creator of the Cardholder Information Security Program whose content drove the majority of what we see in the PCI DSS today. We started by discussing the fraud rates and how PCI DSS is helping to keep fraud under control. According to Perez, fraud rates are very low and fairly stable—around 5%. So PCI has to be doing SOME good if fraud rates are not spiraling out of ...

Continue Reading

A Conversation with Bob, Troy, and Jeremy standard

If you caught me this year at the PCI Community Meeting you may have noticed something strange attached to my badge—a green “Press” ribbon. While it was strange to wear it and I don’t consider myself a member of the press, I’m thankful for what it ended up getting me. I had some great 1:1, on the record discussions with key stakeholders which I plan on bringing to you here in the blogorino. The first one I want to review is a conversation I had with the public leaders of the PCI SSC, Bob Russo (GM), Troy Leach (CTO), and Jeremy King (EU GM). The first thing I asked about was the new Special Interest Group (SIG) process that Jeremy ...

Continue Reading

PCI Community Meeting Reviews from the Field standard

While I was at the community meeting, I chatted with several individuals that had feedback on the conference, and here are a few nuggets distilled from over an hour of audio recordings: Council is getting better at understanding how reports are generated, but there still seems to be an inability to tie any given report back to the environment assessed. For example, was it scoped correctly? Were the controls assessed per the intent of the standard? Was the appropriate risk-based approach taken? CBT Requalification is convenient, but lacks the flowing Q/A that you might see in an interactive training course. May consider trading an in-person training (or interactive training) every so often as opposed to all CBT. Large variance among ...

Continue Reading

PCI Community Meeting 2011, That’s a Wrap standard

What was day 2 like at the community meeting? Lots more tweeting, lots more networking, and lots more info! First off, HUGE thanks to Gene Kim for being the most prolific twit, by far. Those present and not thank you! We started with the Verizon Data Breach Investigation Report review from Chris Novak. While the report is not new, Chris’s anecdotes that went along with the report solidified key findings for the group. Next the conference offered options. I opted for the PCI in Practice track with fellow board members Peter Cooper, Philip Morton, and Patrick Phalen. Each presented stories and strategies they used to bring their global organizations in compliance with PCI DSS. I enjoyed the session, and I ...

Continue Reading

PCI Community Meeting, Day 1 Observations standard

The first day of the event has been packed full of activities! First off, it’s been great to see everyone. Say what you want, but there are some very smart people in this industry and I really enjoy the conversation (even if it is over one of those silly Compliance on the ROC drinks). We opened the session with Bob doing that thing that he does, including a heartfelt thanks for the outpouring of support he had after missing the meeting last year. Then we saw Eduardo Perez jump up and do a quick update. My favorite quote from him is “Security has to evolve as new technologies emerge.” New technologies change the attack surface, and it seems like most ...

Continue Reading

Last Word on the Visa TIP standard

The Visa Technology Innovation Program (TIP) is certainly stirring up all kinds of discussions in the technology community. I had an opportunity to get some clarification on exactly what these new changes from Visa mean for you, and wanted to summarize them here. Unlike the Compliance Acceleration Program (CAP) which used fines and interchange fees to motivate merchants, there is no true financial incentive to participate in the TIP… today. The closest resemblance to a financial incentive is the domestic and cross-border counterfeit liability shift. Merchants that cannot accept an EMV or contactless card when presented one by a customer will bear the liability of a fraudulent transaction instead of the issuer after October 1, 2015. The TIP mandates that ...

Continue Reading

Visa Kills PCI Assessments and Wants Your Processor to Support EMV standard

Visa made a few new changes public yesterday on their Key Program Dates for their Cardholder Information Security Program. It’s been a Visa heavy month as we watch them push EMV here in the US. Two other posts you should read: Chip and PIN on the Way Why Visa’s TIP Doesn’t Matter (to you) Now, what did Visa announce yesterday? It looks like the Technology Innovation Program (TIP) is coming to the US. But as you already know (because you read the second post above), this doesn’t matter to you. From this release: Effective 1 October 2012, Visa will expand the Technology Innovation Program (TIP) to the U.S. TIP will eliminate the requirement that eligible merchants annually validate their compliance ...

Continue Reading

PCI Council Revokes QSA Status (Finally?) standard

You readers know that I used to run one of the larger QSAs, and I took pride in the team we built, the work we did, and what our customers said about our experience. Yes, we actually had customers tell us that they LIKED their QSA. How rare is that today? Since getting out of that business, I have spent quite a bit of time helping my customers operate more securely, and in conjunction with that, comply with various standards like PCI DSS. The only time I’ve heard more colorful language describing someone is when my wife screams at the TV during football. BARELY more colorful. Earlier this month, the PCI SSC announced they were revoking the QSA and PA-QSA ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!