Tags Archivespayment processing

Sir, Put Down the Loaded Weapon standard

Sensitive information is sometimes like a loaded weapon someone might randomly stumble upon in a park. For those that have some kind of training with weapons, you can probably think of a dozen things you would and wouldn’t do if you were in this situation. But what if you had never seen this kind of weapon before? Would it become a paperweight on your desk? Maybe a doorstop? Or in an extreme case, earrings? Maybe you see peers treating these weapons the same way and all the sudden it becomes acceptable. Until one goes off. Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop ...

Continue Reading

Top 3-5 Things to Remove from PCI DSS standard

PCI DSS 2.0 has been out for over a year now, and the feedback period is almost closed (ends April 15). If you have not submitted feedback yet, do so! But here’s an interesting challenge I would suggest. If you could pick three to five requirements to REMOVE from PCI DSS, what would they be, and why? I’m looking for options to simplify the standard without compromising its goal as it stands today. I’m looking to make this a serious exercise in improvement that we can submit as part of the feedback period. Comments below are open! Debate below and I’ll forward this entire thread over to the Council for review.

Continue Reading

Corporate Responsibility with Ben Tomhave standard

This is part two in a conversation that I had with Ben Tomhave (@falconsview) last week over Twitter. What started out as a quick question about busting PCI myths turned into corporate responsibility. If you haven’t seen this article about a company who is facing massive penalties, give it a read. It will help set up my position on corporate responsibility for promoting longevity. My position: Companies must make security and compliance a core part of their competency if they choose to operate in a manner that puts them in the cross-hairs of regulation. During the conversation, we moved to overall organizational competency around areas that arguably sit on the fringe of their core business. Restaurants that make pizza should ...

Continue Reading

Chip and PIN on the Way standard

Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way! While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants. If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points. Chip and PIN doesn’t work if the card in your wallet doesn’t use ...

Continue Reading

Five Ways to Get it Right from the START standard

I was sitting in one of my thousands of mobile offices yesterday (i.e., the Starbucks down the way to one of my new favorite local hang-outs) wrapping up the year1 and I couldn’t help but overhear the gaggle of ladies sitting at the table in front of me talking about negotiating some kind of credit card processing agreement for their new business. This was, of course, AFTER the extremely loud gift exchange. I think one of them might have been a gag gift, unless this nice middle aged lady really did want Cookin’ with Coolio for Christmas. I find his measurements hard to follow. How much is a “dime bag of salt” anyway? So picture this scene: It’s some kind ...

Continue Reading

Where’s the Breach? standard

All we need to top off this post is a little old lady screaming “Where’s the Breach?” God bless 80’s marketing. A merchant out of Austin, Texas is claiming that a breach in their network came from Heartland Payment Systems (HPS), thus it must be their fault. While I am sure this is not the first merchant to be caught off guard, he’s certainly a creative one. Our culture in America seems to relish deflecting blame from oneself on to others. Why, it couldn’t be me, it must be that guy over there. What’s interesting about this particular case is that the quotes in the article are being interpreted in a manner that is inconsistent with these kinds of breaches ...

Continue Reading

PCI Council Releases New PTS Standard standard

The PCI Security Standards Council released a unified PIN Transaction Security (PTS) standard yesterday under the title Point Of Interaction (POI) Modular Security Requirements.  The new PTS POI unified what was previously three separate standards: the Unattended Payment Terminal (UPT) Security Requirements, POS PIN Entry Device Security Requirements, and the Encrypting PIN Pad (EPP) Security Requirements which now sunset on May 12, 2011. According to the release: The standard introduces a new modular approach for testing all PTS points of interaction, which includes two new optional modules in addition to minor updates to the existing requirements. The Open Protocols module addresses the security of PIN Entry POI devices that utilize external connectivity, and the Secure Reading and Exchange of Data (SRED) module is designed for ...

Continue Reading

Key Logger Attacks on the Rise (this is no joke!) standard

Visa released a report yesterday on their website (dated March 17) warning merchants about the rising threat of key logger and screen capture attacks.  I went back looking through my archives to see if I’ve written about this danger before, but I think my examples are ones that I typically talk about.  But don’t worry, I’ll put one for you here! This particular alert from Visa targets software key stroke and screen captures.  At the bottom of page two, Visa puts some MD5 sums for various malware probably obtained while investigating merchant breaches.  They also provide eight mitigation strategies to be used as preventative measures for areas that are likely to be targeted for malware installation. My real world example ...

Continue Reading

Consider Outsourcing Cashless Payments standard

One of the things that baffles me every time I walk into a retailer struggling with PCI compliance is why management doesn’t consider completely outsourcing all of their cashless payment processing.  I know how we ended up in this situation, but who takes the blame for continuing to push this paradigm forward? Let’s take payments off the table and re-focus on the information we store. Information today is the lifeblood of business.  The value of information is in the process of distilling petabytes of information into actionable tasks that create competitive advantage.  Because information is perceived as highly valuable, the general position of information managers is “store or get access to every piece you can, then we’ll figure out how ...

Continue Reading

Does PTS Apply to ATMs? standard

I’m writing (but not publishing…. Come on folks, it’s 2009…) this from 35,000 feet, somewhere over  the north Atlantic, east of Iceland.  What else am I going to do while sitting in a big, metal recycled air tube hurtling over the surface at speeds never meant for man?  Think and write about security, of course! I’m heading back state-side after a great PCI Europe community meeting.  I didn’t get the final count, but the meeting had just north of 200 attendees.  It seemed smaller than last year, but that could have been the seating arrangement.  One of my favorite sessions is always the PCI Standards Feedback and Q&A Sessions.  This year was no different! While the questions in the US ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!