Tags Archivessecurity stick

Why Trying to Change the Rules Doesn’t Work standard

Going against the grain isn’t easy. Go back through history and look at individuals that failed and succeeded doing just this. Most of them had incredible hardships and made huge personal sacrifices, including many who gave their life to the cause. OK, so I suppose I should take a moment to clarify. Changing the rules CAN work, just not very often, and none of you are really willing to die changing PCI DSS, are you? Didn’t think so. When PCI DSS was becoming more relevant, I saw two distinct camps of individuals responding to the movement. Typically the security folks were in favor of PCI DSS as they saw it as the justification to get the things they needed to ...

Continue Reading

Getting Support for PCI DSS standard

For the record, I LOVE it when people send in emails requesting a specific blog topic.  I can’t get to them all, but it sure helps set the direction.  The part of the writing process that is sometimes hardest for me is finding a starting point. Thank you for this one (I’ll keep this person anonymous as their email bounced)! In the book we discuss how to manage a project to completion (Chapter 10), and one of the key steps is getting buy in from senior management. A reader emailed me this week asking about how to go about getting this support. Specifically (paraphrased for brevity): How do I make executive management (C-level) aware of the necessity for, and importance ...

Continue Reading

Too Much Process, the Corporate Lobotomy standard

Process is a good thing. Some corporate citizens might disagree with that basic statement based on conversations like the following: “You mean I have to go to some website to enter a request for paper clips, and then someone in another office can just reject it because they want to?” Sometimes it doesn’t work.  When you are in situations like this, remember this little saying from a very wise man: “Don’t confuse logic with the process.” Process in other examples can be a really good thing.  Consider the actions you might take to promote code from a test or Q/A environment into production.  The steps you take to do this should be the same every time, and any deviation from ...

Continue Reading

The Dangers of Hindsight standard

Bob Carr gets it. He had to suffer through one of the largest credit card breaches on record to get there, but he gets it. Digital Transactions Magazine published an article featuring Carr entitled Don’t Hire a QSA by Seeking the Lowest Bid, Warns Heartland’s Carr.  In it, Carr painfully recalls how his previous assessors did not provide him much value, and how the low-cost bid rarely ever the best bid.  If you read his article, he doesn’t specifically argue that costs should start escalating quickly, but rather he argues that companies should spend the time to get a QSA that does a thorough job, and is not motivated to get in the door, go as quick as possible, and ...

Continue Reading

MasterCard to Fine Merchants for Non Compliance standard

OK, SOMEONE out there has some explaining to do. Like, right now.  Who poked MasterCard hard enough to wake them from hibernation? When it comes to actions against merchants, MasterCard has typically been much quieter than Visa.   We’ve had several customers come to us with new fines from MasterCard that will begin sometime in the next 18-21 months beginning NOW. Why the ambiguity?  None of our customers seem to have a date when the fines start!  This is a huge assumption here, but I will suggest that the fines would start after the 2010 deadlines for Level 1 & 2 merchants. Revisiting those deadlines, Level 1 & 2 merchants must produce a Report on Compliance from a QSA by December ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!