Tags ArchivesPCI community meeting

Review of the 2010 ____ ____ Meeting standard

PCI 2.0 is just around the corner, and what better way to discuss it than by reviewing the ____ ____ ____ that just wrapped in ____! Much of the information we received was classified as confidential or embargoed, so unless you are a stakeholder (like a ____ ____, ____, ____, or described by any other of the acronyms we have come to love) you are missing out. Of course, the first thing we all heard was the ban on social media. Ironically, there was a press table in the back, so I’m not sure what those guys are going to be able to do with the info if they cannot write about it. Anyway, here’s my take: Wednesday’s session kicked ...

Continue Reading

The Gobble-Gobble of Public Networks standard

Here in the US we celebrate and give thanks for the harvest on the fourth Thursday of November, one month after our Canadian brethren did.  Does security stop just because most companies in the US are closed?  Nope, in fact, I’d like to give a shout out to all of you folks taking the overtime pay to spend time babysitting your networks.  For you, I am thankful. The PCI Europe meeting has been the topic of several blog posts recently, and here’s yet another one inspired by the Q/A session at that meeting. The Technical Working Group (TWG) must cringe when the definition of public networks is asked in a crowd.  I believe that this was one of those phrases ...

Continue Reading

Multi-Function Service Providers, What To Do? standard

Service providers have dealt with compliance-driven information security mandates for much longer than merchant’s have.  The catalyst for Visa’s CISP program was reportedly service providers, but enforcement ultimately expanded to all stakeholders.  Regardless of its origins, a certain class of service provider has significant challenges complying with these requirements without shuttering portions of their business. Let’s say that a financial service provider is processing credit card transactions as an acqurier, as well as doing issuer processing for other third-party banks.  How can the business comply with PCI if they also must store prohibited data in order to process on behalf of their issuer customers? That, my friends, is one of the big questions in the industry today. Attendees from both ...

Continue Reading

More Fun with Hashed PANs standard

Hashed PANs are a double edged sword.  Hashes seem to be coming up quite a bit lately, and in fact there was a question about hashed PANs at the PCI Europe meeting. Luther Martin at Voltage discusses one of the two main issues with hashing, and that is the ability to create rainbow tables whereby you can easily take a known hash value and back your way to the input used to create it.  Granted, one of the issues that exacerbates this for cardholder data is the limited keyspace in which card numbers are valid.  Remember they all start with published six digit BINs, and any number must pass a Luhn check.  But, before we dance on hashing’s grave, let’s ...

Continue Reading

Will PCI Mandate the Use of Data Discovery Tools? standard

The PCI Europe Community meeting was set in the beautiful Marriott in Old Town Prague last week, and even though there were fewer attendees than the meeting in Vegas, there was no shortness of intensity and well researched questions. One individual asked about the use of Data Discovery tools as a mandate to assist in the scoping of PCI assessments.  Imagine as a QSA walking into a customer, running a tool, and knowing EXACTLY the scope of the PCI assessment you need to perform!  There would be little chance that you under- or over-scoped it, and all those little nooks and crannies that scare the bejeebus out of a QSA would be documented right there for review. If you are ...

Continue Reading

Does PTS Apply to ATMs? standard

I’m writing (but not publishing…. Come on folks, it’s 2009…) this from 35,000 feet, somewhere over  the north Atlantic, east of Iceland.  What else am I going to do while sitting in a big, metal recycled air tube hurtling over the surface at speeds never meant for man?  Think and write about security, of course! I’m heading back state-side after a great PCI Europe community meeting.  I didn’t get the final count, but the meeting had just north of 200 attendees.  It seemed smaller than last year, but that could have been the seating arrangement.  One of my favorite sessions is always the PCI Standards Feedback and Q&A Sessions.  This year was no different! While the questions in the US ...

Continue Reading

The Social Media Ban standard

Attendees to the PCI Community Meeting in Vegas two weeks ago were treated to an interesting warning at the opening of the session. No social media or blogging during the meetings. I know that I picked up on it more than anyone else as I tweet and blog just a little. It didn’t take long for attendees to be warned about its use. During Bob’s opening remarks, he cautioned users not to tweet or live blog the events. The two-part irony behind the situation is that members of the press were welcomed into the meetings this year, and three of the five founding members of the council have embraced Twitter. Discover MasterCard (including four executives) American Express (albeit just a ...

Continue Reading

The Definition of Cardholder Data standard

The definition of cardholder data for most of us usually stops at the Primary Account Number, or PAN.  Those pesky digits that we have to protect as they run through our systems cause CIOs to cringe and security professionals to salivate over potential budget money.  Before you can embark on your information security journey, you need to understand what you must secure, and where it is.  I’ve posted about this before. As this is one of my most popular posts, I wanted to go back and revisit this post. When I wrote this post, we were still dealing with PCI DSS v1.2.1. While the definition has not changed in more recent versions, the landscape has quite a bit. I’ve updated ...

Continue Reading

Ask the Council standard

Vegas is in the books, baby!  I’d call it a successful community meeting.  The networking opportunities were fantastic, and the sights were awesome1.  For those staying in THEhotel, we got to walk off calories consumed with the long walk from the room to the conference center that we made at least twice daily.  Of course, it is Las Vegas.  It’s REALLY hard to concentrate when you know that you don’t have to walk far to be bombarded by flashing lights, bells, whistles, and other sensory delights designed to make you give money to the casino.  I came out about even. WIN. The first posts and stories have already started coming out; I’ve submitted my feedback on the meeting, and now ...

Continue Reading

PCI Community Meeting Update Schedule standard

The meeting this year promises to be a goodie!  What you won’t see from attendees (including me) is any live blogging or tweeting about the meetings this year.  I’m going to be responsible this year, and will blog about the event AFTER it happens. Don’t expect any confidential information to be revealed (though that’s not something you should expect from me if you have been reading my blog for any period of time now).  Concepts that you might find here will always apply knowledge in a general manner.  I will do some kind of wrap up posting series next week. So this week, look for us at the PCI Community Meeting, and come to the Welcome Reception sponsored by VeriSign ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!