Tags Archivesdo it right

Sir, Put Down the Loaded Weapon standard

Sensitive information is sometimes like a loaded weapon someone might randomly stumble upon in a park. For those that have some kind of training with weapons, you can probably think of a dozen things you would and wouldn’t do if you were in this situation. But what if you had never seen this kind of weapon before? Would it become a paperweight on your desk? Maybe a doorstop? Or in an extreme case, earrings? Maybe you see peers treating these weapons the same way and all the sudden it becomes acceptable. Until one goes off. Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop ...

Continue Reading

Apparently You DO Need Assurance standard

I was going through some tweets last week and came across a tweet by @rybolov touting the most interesting blog post he will read all month about code scanning and regulatory capture. It’s from Mary Ann Davidson, the CSO of Oracle and entitled, “Those Who Can’t Do, Audit.” While I’m not an auditor (and never have been), I’ve performed many-an-assessment in my career so I thought I’d take a look at the re-purposed cliché titled post. The first thing you will notice is that the post really isn’t about auditors, it’s about static code analysis. If I can distill the meat of the post down (and cull the 2/3s that compose fat/rant), her point is that certain groups have created ...

Continue Reading

PCI Council Revokes QSA Status (Finally?) standard

You readers know that I used to run one of the larger QSAs, and I took pride in the team we built, the work we did, and what our customers said about our experience. Yes, we actually had customers tell us that they LIKED their QSA. How rare is that today? Since getting out of that business, I have spent quite a bit of time helping my customers operate more securely, and in conjunction with that, comply with various standards like PCI DSS. The only time I’ve heard more colorful language describing someone is when my wife screams at the TV during football. BARELY more colorful. Earlier this month, the PCI SSC announced they were revoking the QSA and PA-QSA ...

Continue Reading

Five Ways to Get it Right from the START standard

I was sitting in one of my thousands of mobile offices yesterday (i.e., the Starbucks down the way to one of my new favorite local hang-outs) wrapping up the year ((On my day off, I might add.)) and I couldn’t help but overhear the gaggle of ladies sitting at the table in front of me talking about negotiating some kind of credit card processing agreement for their new business. This was, of course, AFTER the extremely loud gift exchange. I think one of them might have been a gag gift, unless this nice middle aged lady really did want Cookin’ with Coolio for Christmas. I find his measurements hard to follow. How much is a “dime bag of salt” anyway? ...

Continue Reading

PCI DSS versus Y2K standard

It’s been an interesting week in the PCI DSS world. I was a contributor to a Webcast from First Data on scope reduction using Tokenization.  We had the webcasts from the Council about the changes in PCI DSS coming on October 28, and I seem to have gotten a flood of emails reminding me about the community meetings in Orlando and Barcelona. From a global perspective, PCI DSS is slowly making strides in several locales, to the point where I often adjust my daily schedule to help customers in the pacific rim, middle east, Asia, and Europe. Australian and New Zealand based companies seem to be taking particular interest in PCI DSS, equivalent to the levels we saw in early ...

Continue Reading

2010 Verizon Business Data Breach Report Released standard

Verizon Business released their 2010 Data Breach report hours ago, and with the combination of Secret Service data for the 2010 report, there is a ton of interesting things in here.  Here are a few of the highlights that I took from the report: Financial & Hospitality Beware: These two categories represent 56% of the groups involved in breaches ((Add in retail and you are up to 71%)).  Those of us in the industry know the ridiculously poor state of security in the hospitality sector.  Now with the economy on its way to recovery, these businesses will once again see an uptick and criminals will see an opportunity to capture valuable data. Medium-Sized Businesses are in the Crosshairs: The grouping ...

Continue Reading

Tokenization and Chargebacks standard

The NRF released a brief yesterday discussing the clarification Visa made to the operating regulations related the storage of full card data after the transaction. As suspected, some acquirers and processors were interpreting the rule to mean that Visa required merchants to store the full card number for things like chargeback processing ((The clarification was made on the Issuer side of the transaction.)). Of course, with a phone call, acquirers quickly seemed to learn what the real intent of the rule was. I can only describe this second hand, but here’s what I know for sure. Over the last 6+ years, I have worked with many merchants to help them rid their systems of PANs. In exactly zero instances, I ...

Continue Reading

PCI Doesn’t Take Vacations standard

I was lucky enough to spend some quality time away from the tubes last week, and while I am not part of a rogue PCI enforcement militia, I do tend to observe how organizations tackle security and compliance issues.  For the first time, I found a rather unique disclaimer that was mere feet away from the Point of Interaction.  It shocked me so much, I snapped a picture to make sure I got the wording correct.  It plainly stated: WARNING: The method used to authenticate credit card transactions for approval is not secure and personal information is subject to being intercepted (the original sticker said ‘intercetped’) by unauthorized personnel. I promptly copied the phone number down and passed it to ...

Continue Reading

Running Security Into The Ground standard

Security professionals are funny.  We are incredibly strong willed and have strong opinions on subjects we live for.  It’s more than passion, it’s Passion++.  Just like regular passion, but with an object oriented framework that makes for the amplification of said passion, but only for those that truly grasp its power. For example, get a security expert that lives and breathes Linux and one that lives and breathes NetBSD in the same room, ask for the most secure, open-source platform, and watch the hilarity ensue. Some security professionals have developed a dangerous attitude that rears its head when people discuss things like PCI DSS or other compliance topics. “Don’t tell me how to do my job!”  This sometimes comes across ...

Continue Reading

Trust but Verify: Words to live by! standard

QSAs have to walk a very fine line with customers.  Especially those that are coming back for years two and three on a multi-year contract. I’ve seen it happen to other companies, and it’s happened to me.  The conversation goes something like this: Me: OK, now that we are on logging, please provide me with the logs you pulled from X server in Y environment. Them: Here you go. Me: This is exactly what we need, but I need a set pulled from recent data, not the ones we looked at last year. Them: But you looked at it last year! I’ll give you access to our change control system and you can see nothing changed on that box. Me: ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!