Tags Archivesleft turn

Craking as a Service (Caas)? standard

This is not a new concept, and has even been discussed here before.  PC World is reporting that a new service is available for all of us.  Have a WPA PSK you want to crack?  It will cost you $34 and about 20 minutes. WPA Cracker is a new service launched by the same researcher that has spent time attacking SSL/TLS over the last few years.  While the price may be a little high, it certainly represents an interesting shift in activities typically reserved for botnets or universities with large computing resources.  Where else could we take this? Rainbow tables for most hash types are readily available through Bit Torrent, or can be generated with simple scripts and a chunk ...

Continue Reading

MasterCard/Visa Remove Reciprocity standard

Thanks to a fellow reader for pointing this out!  It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions.  Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection). Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold.  Now it appears that this is the case as the official merchant level definitions reflect exactly this. Unfortunately, the road does not end there.  In fact, it starts forking like crazy. Now that ...

Continue Reading

Oracle cracks everyone up standard

Did anyone else giggle a little bit when they saw that Oracle delayed its quarterly patch release because it would coincide with the OpenWorld 2009 Oracle conference?  According to Oracle, they didn’t want administrators to have to choose between installing updates in a timely manner and attending the conference. That’s funny for me because I have NEVER met an Oracle DBA that was excited about pushing patches to their servers in a couple of days (the original release was slated for October 13, and the conference ends on the 15th).  In fact, between Oracle DBAs and z/OS Administrators, I don’t know who wins the prize for yelling the loudest about patching within thirty days. THIRTY days. Not two days.  THIRTY ...

Continue Reading

MasterCard Clarifies their Position standard

FINALLY!  An official statement from MasterCard!  Last night, MasterCard posted a four page FAQ on their website to help us deal with the onslaught of buzz that came from their original posting.  Some of it anecdotal and humorous (albeit literally true), some of it from this very blog. Here’s the meat of what you need to know: Level 1 merchants that engaged an internal audit team before 15 June 2009 must  validate compliance with a QSA by December 31, 2010. Level 2 merchants must ALSO validate compliance with a QSA by December 31, 2010. Internal assessments MAY NOT be performed.  The way that MasterCard words this, it appears to be a punt over to the Council.  If the Council would ...

Continue Reading

MasterCard to Fine Merchants for Non Compliance standard

OK, SOMEONE out there has some explaining to do. Like, right now.  Who poked MasterCard hard enough to wake them from hibernation? When it comes to actions against merchants, MasterCard has typically been much quieter than Visa.   We’ve had several customers come to us with new fines from MasterCard that will begin sometime in the next 18-21 months beginning NOW. Why the ambiguity?  None of our customers seem to have a date when the fines start!  This is a huge assumption here, but I will suggest that the fines would start after the 2010 deadlines for Level 1 & 2 merchants. Revisiting those deadlines, Level 1 & 2 merchants must produce a Report on Compliance from a QSA by December ...

Continue Reading

The Final Word on MasterCard’s New Levels standard

It’s been a little over a week now since MasterCard tool the PCI world by surprise and changed their reporting requirements for Level 2 merchants.  Whether you are currently a Level 1 or Level 2 merchant, these changes affect you.  Here’s the summary and rundown. MasterCard posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and perform an on-site assessment before December 31, 2010. In addition, Level 1 merchants that were previously self-assessing may not self assess anymore, and must use a QSA for their PCI Assessments.  This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually, and allowing ...

Continue Reading

NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants standard

Thanks to Smiley for the tip!  See the final word here. MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually. While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!