Branden R. Williams, Business Security Specialist

Incentives in PCI DSS standard

ETA’s Transaction Trends publication recently featured an article by Darrel Anderson entitled Why PCI Compliance Isn’t Working. In it, he describes one of the problems that we’ve been exploring here over the last month or so—incentive structures for PCI DSS. At the ETA Strategic Leadership Forum, the CEO of a prominent payments company echoed this sentiment by suggesting that his peers in the industry should be invested in taking the bite out of processing payments. Darrel touches on this in his article when he discusses the complexity of PCI DSS and how merchants struggle with it. His first carrot is to make this process easy. But we shouldn’t be focusing on making PCI easier, we should be focusing on making ...

ETA Strategic Leadership Forum standard

It’s that time of year again, and several of us are headed out to this fantastic event put on by ETA. Look me up when you are there so we can chat about some of the interesting events over the last few months. Some of those include: POS Malware Scoping Challenges with PCI DSS 3.0 Apple Pay (and P2PE) Shellshock Side channel attacks on PINs Looking forward to discussing the future of payments with some of the most influential people in the industry! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

The Right Way to Present your Security Initiative standard

Going through my RSS the other day, I found this blog post on HBR that everyone in our field should bookmark for future reference. It’s entitled, The Right Way to Present your Business Case, by Carolyn O’Hara. As I was reflecting on the successful (and not so successful) pitches in my career, I thought that this type of message also works perfectly for information security. We have all had that moment in our careers where we knew something needed to be done, but we struggled to communicate it effectively. I distinctly remember a conversation early in my career about adding a security product to a company I worked for and the CEO said, “Until Amazon gets hacked, nobody is going ...

September 2014 Roundup standard

The Orlando community meeting came and went, DerbyCon came and went, and we saw a security vulnerability that rivals Heartbleed . I hope this sets us up for a great discussion in a couple of weeks at the PCI Community Meeting in Orlando! Here’s what you folks liked the most last month: The Only Customer Service Script You Will Ever Need. The economy is humming along quite nicely. How do we know? Because people are getting poor customer service and reading posts like this one. Is customer service is less important now that customers are easiser to come by? Check out this diversion from security that will make you think about how you interact with your customers. Is PCI DSS ...

30th of September, 2014
In: Consumer Security, Enterprise Security
2
0

Shellshock and the Cyber Safety Program standard

I recently had a conversation with Josh Corman of IAmTheCavalry where he shared with me his open letter to the automotive industry. Entitled, the Five Star Automotive Safety Program, it outlines five specific areas that affect information security, and thus will affect the safety of humans that rely on those systems. The five areas are: Safety by Design Third-Party Collaboration Evidence Capture Security Updates Segmentation & Isolation When Josh and I first chatted, I was wary of number 4. Not the fact that security updates are needed, but that there must be a mechanism by which updates can be automatically deployed (not by taking a car to the repair shop). Could someone create a cyber-zombie army by taking over an ...

SSL Issues with this Blog? standard

Due to Google’s policy change that all certificates must be signed with a minimum of SHA256, I recently replaced the cert on this site. Some of you have let me know that SSL errors were popping up. One was due to a missed “https” on the MailChimp signup form, the other was due to Symantec (VeriSign)’s new root cert that is also signed using SHA256. If you are currently using a certificate on your SSL site that is signed using the SHA-1 algorithm, you should consider replacing that cert soon. Chrome will soon be configured to warn users going to those sites about the weak signature. Enterprise customers, this is going to be as painful as Heartbleed if you had ...

23rd of September, 2014
In: Consumer Security, Enterprise Security, PCI
0
7

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Side Channel Attacks for PINs standard

I found this Lifehacker post this week and I am totally loving the demonstration he gives in his video. Anyone who has watched a crime drama knows that people are filthy beings that leave traces of themselves wherever they go. It could be DNA from skin cells or hair, prints from our shoes, or a heat signature from touching something. In the video, Mark Rober shows you how an iPhone attachment can pick up the PIN code you just entered into a terminal to pay for goods and services. He even gives you some ideas on how to avoid getting hit. For those of us that saw Bob Arno at the Community meeting last week and saw the coordinated shoulder ...

The Impact of PCI DSS is Up To You standard

After reflecting on the PCI Community Meeting last week, it seems that there is a groundswell building. We’re getting ready to release our updated PCI DSS book on October 24 (pre-order here), and in it (as well as in talks I’ve given since the release) we speculate that the changes in 3.0 are mostly minor and give the merchant more flexibility. While I still stand by this, it seems that the perception in the community does not align with this. I had many conversations last week from disillusioned merchants who are struggling to come up with solid plans for updating their programs. We got detailed in the book on how to address some of these issues, including new chapters on ...

Does Apple Pay Signal the Beginning of the End of PCI? standard

Whether you are a fanboy or not, you have probably seen some news about Apple’s new Apple Pay feature in the iPhone 6. It appears that the sleeping giant of digital wallets is stirring from his slumber. Could this spell the end of PCI DSS for the majority of companies affected by the standard? The last few decades have seen a number of companies attempting to disrupt or revolutionize payments, but like the payment card brands themselves, they battled acceptance. Apple’s new iPhone 6 finally has Near Field Communication (NFC) built into the device, which means it can now interact with contact-less payment card readers. The dream of leaving your house with only your phone is not quite a reality ...