Tags Archivescompliance

Level 2 Merchants, Are Your Folks Trained? standard

Is anyone thinking about June 30, 2011 yet?  If you are a Level 1 or Level 2 merchant, you certainly should be!  Here’s why: MasterCard had a rough time last year. They made some new rules, they changed the rules, and then they removed many of those rules.  This year, they worked out the kinks (arguably something they should have done before the first announcement) and have a revised set of requirements. Remember us talking about reciprocity last year? From the excellent post by Chris Mark on the end of the Level 4 Merchant to the retraction and strange website posts and commentary by MasterCard, reciprocity was a hotly debated issue.  As of this writing, the reciprocity on MasterCard’s website ...

Continue Reading

PCI Security Standards go to Three Year Lifecycle standard

On June 22, the PCI Security Standards Council announced that effective October 2010, all of the standards under its care will move to a three year development lifecycle from the current two year lifecycle we have enjoyed since the standard was originally released on December 15, 2004. I had a chance to sit down with Bob Russo (VIRTUALLY that is) and discuss some of the changes and how that affects the standard going forward. According to Russo, the change is “a direct result of feedback from [sic] our board of advisors [sic] and participating organizations1.”  He believes the change is “a win-win for everybody.” In the linked press release above, the Council cites feedback from key stakeholders as the primary ...

Continue Reading

Running Security Into The Ground standard

Security professionals are funny.  We are incredibly strong willed and have strong opinions on subjects we live for.  It’s more than passion, it’s Passion++.  Just like regular passion, but with an object oriented framework that makes for the amplification of said passion, but only for those that truly grasp its power. For example, get a security expert that lives and breathes Linux and one that lives and breathes NetBSD in the same room, ask for the most secure, open-source platform, and watch the hilarity ensue. Some security professionals have developed a dangerous attitude that rears its head when people discuss things like PCI DSS or other compliance topics. “Don’t tell me how to do my job!”  This sometimes comes across ...

Continue Reading

Why ISAs are Good for QSAs standard

The PCI Security Standards Council recently announced their Internal Security Assessor program (ISA)1 and it seems like the response is overall positive.  I have spoken to a few QSAs that are afraid this may contribute to a decline in the business as there is dissension in the ranks of those being assessed2. ISAs are GOOD for QSAs, and as a QSA you should prefer to assess companies that have installed them in their teams. I was speaking to a colleague late last year at a PCI gathering and he mentioned that his last internal PCI assessment consumed over 3,000 hours. Three thousand hours, folks. This was not a giant company either (Level 1 merchant).  Using standard consulting rates, you are ...

Continue Reading

Pushing Virtualization to the Store standard

One of the key areas that stands to benefit from wide adoption of virtualization is the retail store front.   It’s an expensive road to get there, but would be a long-term benefit to retail. Why is it expensive?  For one, you have the problem of scale.  It’s difficult to stomach an investment that requires touching all of your stores.  The long term benefits can be substantial depending on how you approach it. If you touch all of your stores ONCE with an upgraded, beefy machine that can run a hypervisor, you can continue to stand up and offer new services for quite some time without physically touching your stores.  This can be a huge benefit for companies looking to roll ...

Continue Reading

Getting Support for PCI DSS standard

For the record, I LOVE it when people send in emails requesting a specific blog topic.  I can’t get to them all, but it sure helps set the direction.  The part of the writing process that is sometimes hardest for me is finding a starting point. Thank you for this one (I’ll keep this person anonymous as their email bounced)! In the book we discuss how to manage a project to completion (Chapter 10), and one of the key steps is getting buy in from senior management. A reader emailed me this week asking about how to go about getting this support. Specifically (paraphrased for brevity): How do I make executive management (C-level) aware of the necessity for, and importance ...

Continue Reading

What’s a Token? standard

Along with the confusion on the term End to End Encryption, Tokenization (or just simply tokens) is a term used to describe many things.  But what is a token really?  The PCI Council does not provide any guidance other than the definition for an Index Token in the glossary: A cryptographic token that replaces the PAN, based on a given index for an unpredictable value. But even this does not really help us.  To make matters worse, the term “token” itself is defined in the PCI DSS Glossary in the context of a 2-factor authentication device like SecurID.  I’m going to take a crack at defining it and discussing what the variants might be and how they could be weaker ...

Continue Reading

Compliance, Easier than Security! standard

My undergrad is in Marketing.  I sometimes call myself a marketing guy, but only right before I rip on one that hypothetically might do something causing a technical guy to lose his weekend.  One of my favorite marketing guys is Seth Godin, and every once in a while he posts something that works not only in the Marketing world, but in our world. On Friday, his post “It’s easier to teach compliance than initiative” reminds me of how our business works.  Isn’t it WAY easier to talk about some kind of security-related compliance versus actually talking about security?  Think about your past interactions with information security.  Did you have a chance to create a 3-5 year plan detailing how you ...

Continue Reading

Subscriptions Deal with Transactions Times Twelve standard

I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket!  While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year. Is there a way to game the system?  Well, maybe two ways.  First is to delete PCI DSS data, but that’s not ...

Continue Reading

Satellite Hacking, Not Just for Pros! standard

I found a great article by Stan Shyshkin last week on hacking internet satellites. Satellite networking has always interested me, especially when it comes to learning how to take advantage of foolishly trusted links.  Most of these links manifest as a form of a “carrier grade” link such as MPLS or Frame Relay.  These links are inherently considered private, even though they typically do not take advantage of encapsulated encryption. Fifteen years ago we extended our network footprint through private network links.  Companies extended their WAN in the form of a frame relay in 64-Kbit increments1. These links were rarely (if ever) encrypted partly due to the technology at the time and to inherent trust in telcos. Companies running frame ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!