Tags ArchivesPCI

Corporate Responsibility with Ben Tomhave standard

This is part two in a conversation that I had with Ben Tomhave (@falconsview) last week over Twitter. What started out as a quick question about busting PCI myths turned into corporate responsibility. If you haven’t seen this article about a company who is facing massive penalties, give it a read. It will help set up my position on corporate responsibility for promoting longevity. My position: Companies must make security and compliance a core part of their competency if they choose to operate in a manner that puts them in the cross-hairs of regulation. During the conversation, we moved to overall organizational competency around areas that arguably sit on the fringe of their core business. Restaurants that make pizza should ...

Continue Reading

Getting the Most from your QSA standard

Bill Brenner of CIO magazine published a feature article on Wednesday entitled “4 Ways to Get the Most From Your PCI QSAs” where he picks four main things to focus on when using the services of a QSA.  VeriSign published a whitepaper last year reviewing several items to consider when shopping for a QSA, all of which tied back to Brenner’s recommendations. Brenner asserts that the four ways to get more from your QSA are: Choose your vendor wisely. PCI compliance is probably an important project to your organization, so be sure you find a QSA that will make your project successful.  Don’t hastily throw a solution together, treat it like the strategic project it is (and then treat it ...

Continue Reading

How PCI Can Ruin You standard

No, this is not one of those posts poo-pooing PCI because it is the popular thing to do. But after my marathon writing sessions working on the book, I started to think about all the customers that I had visited over the years, and all the problems I have seen, and how even today the problems that come up are essentially caused by common root issues. BTW, I’m hoping you guys all LOVE the case studies. Some of you readers might even be business owners or playing a part in them!  That was, by far, my favorite part of writing the book.  Maybe I’ll try some bad fiction writing next? (FAIL) Anyway, one of the things that the information security ...

Continue Reading

MasterCard to Fine Merchants for Non Compliance standard

OK, SOMEONE out there has some explaining to do. Like, right now.  Who poked MasterCard hard enough to wake them from hibernation? When it comes to actions against merchants, MasterCard has typically been much quieter than Visa.   We’ve had several customers come to us with new fines from MasterCard that will begin sometime in the next 18-21 months beginning NOW. Why the ambiguity?  None of our customers seem to have a date when the fines start!  This is a huge assumption here, but I will suggest that the fines would start after the 2010 deadlines for Level 1 & 2 merchants. Revisiting those deadlines, Level 1 & 2 merchants must produce a Report on Compliance from a QSA by December ...

Continue Reading

Requirement 11.2 Follies standard

Why is Requirement 11.2 one of the most failed by merchants and service providers alike? Requirement 11.2 has shown up here a few times, but after looking back, I never really explored the issues in detail.  Those who have been unfortunate enough to attend one of my sessions where this topic came up know where you can make a mistake. Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external.  Scope reduction techniques like segmentation can do wonders for limiting what needs to be scanned, but makes the biggest impact internally.  In one of my case studies, I talk about a customer that reduced the number of in-scope systems to less than 1% of ...

Continue Reading

The Final Word on MasterCard’s New Levels standard

It’s been a little over a week now since MasterCard tool the PCI world by surprise and changed their reporting requirements for Level 2 merchants.  Whether you are currently a Level 1 or Level 2 merchant, these changes affect you.  Here’s the summary and rundown. MasterCard posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and perform an on-site assessment before December 31, 2010. In addition, Level 1 merchants that were previously self-assessing may not self assess anymore, and must use a QSA for their PCI Assessments.  This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually, and allowing ...

Continue Reading

NEWS FLASH: MasterCard Requires On-Site QSA for Level 2 Merchants standard

Thanks to Smiley for the tip!  See the final word here. MasterCard has posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and an on-site assessment. This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually. While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard. Level 2 merchants are extremely significant in size, many of which being household names. Unfortunately, PCI self-assessments are typically poorly handled simply due to the complexity of the standard and lack of training provided ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!