Branden R. Williams, Business Security Specialist

The Impact of PCI DSS is Up To You standard

After reflecting on the PCI Community Meeting last week, it seems that there is a groundswell building. We’re getting ready to release our updated PCI DSS book on October 24 (pre-order here), and in it (as well as in talks I’ve given since the release) we speculate that the changes in 3.0 are mostly minor and give the merchant more flexibility. While I still stand by this, it seems that the perception in the community does not align with this. I had many conversations last week from disillusioned merchants who are struggling to come up with solid plans for updating their programs. We got detailed in the book on how to address some of these issues, including new chapters on ...

Does Apple Pay Signal the Beginning of the End of PCI? standard

Whether you are a fanboy or not, you have probably seen some news about Apple’s new Apple Pay feature in the iPhone 6. It appears that the sleeping giant of digital wallets is stirring from his slumber. Could this spell the end of PCI DSS for the majority of companies affected by the standard? The last few decades have seen a number of companies attempting to disrupt or revolutionize payments, but like the payment card brands themselves, they battled acceptance. Apple’s new iPhone 6 finally has Near Field Communication (NFC) built into the device, which means it can now interact with contact-less payment card readers. The dream of leaving your house with only your phone is not quite a reality ...

PCI Community Meeting, 2014 standard

No snarky comments here ((Although, those were some fun times, use the search feature to learn more…)), and it’s time for the first of three community meetings starting tomorrow. These meetings have been going on every year since 2007 in Toronto, one year after the Council was formally announced. Even though my career has moved away from the life of a QSA, I have made every one here in the US, and several in Europe, some times as a QSA/ASV, other times as a Board of Advisor member, and finally as a sponsor. Last year, I wrote that 2013 was a pivotal year for PCI DSS. We got a new version of PCI DSS that has been controversial at best. ...

Will this Band-Aid help? standard

You know when you get a paper cut in the webbing of your fingers? How many of you just shuddered at the thought of such a minor, but memorable malady? Now, think about one of the times that you got in there really deep and had to find a band-aid. Those normal ones just don’t work! You need a special band-aid with the butterfly flaps on it. Then you can get on with your day without spreading more of your DNA on everything you touch. With all these POS breaches (like Home Depot this week), we need to address a paper cut. The paper cut here is the POS system. We can describe them as two machines with different life ...

August 2014 Roundup standard

We wrapped up the survival tips for young (and sometimes experienced) professionals series and got back to information security! While you are all still very interested in getting great customer service, my posts on the effectiveness of PCI DSS also made the rounds this time around. I hope this sets us up for a great discussion in a couple of weeks at the PCI Community Meeting in Orlando! Here’s what you folks liked the most last month: The Only Customer Service Script You Will Ever Need. The economy is humming along quite nicely. How do we know? Because people are getting poor customer service and reading posts like this one. Is customer service is less important now that customers are ...

Guest Post: PCI Compliance Fees, Fines, and Penalties – What Happens After a Breach standard

The following is a guest post by Mark Burnette. You can reach him directly here. The PCI Data Security Standards are a set of rules designed by the credit card brands to enforce card data security. Though these are industry rules rather than laws, they can result in stiff fines and penalties for businesses, and even cost a business the ability to process credit cards. What’s more, these rules impact every business that collects, processes, or transmits card data – from mom and pop shops to retail titans. So what exactly happens to a business when it’s caught out of compliance? Fines and penalties Let’s say your business has suffered a data breach. First, the card brands will go to ...

So, uh, is PCI DSS effective? standard

After the last post, I thought I’d describe some of the challenges with measuring the effectiveness of PCI DSS. Some camps argue it is absolutely effective because there has not been a compromise to date of an entity that was fully compliant with PCI DSS at the time of their breach. Others suggest extremely low compliance rates in certain groups of merchants indicate it’s not effective in helping the little guy. A few pick up headlines and just scream that it’s broken. An industry colleague of mine, Steve Levinson, is famous for a number of sayings. One he uses when faced with numbers that sometimes don’t make sense is: “There are lies, damn lies, and statistics.” While I know he ...

Is PCI DSS Effective? standard

Another week, another breach. SuperValu is the latest entity to suffer a breach involving credit cards, and I saw a tweet over the weekend that inspired this post. It was along the lines of “I’d hate to be the guy who has to explain how PCI DSS is effective against breaches.” While there is some humor in the tweet, there is more than just the standard in play here. PCI DSS by itself is a good baseline for handling cardholder data. I’ve written articles, blogs, books, and given talks on the merits of PCI DSS ((If you are on the Council reading this, remember, I’m an on-record supporter)). PCI DSS also has flaws, compared to other compliance initiatives, that are ...

21st of August, 2014
In: Consumer Security, Enterprise Security
0
14

Why won’t you change your password? standard

There was a very interesting post by Punam Keller last week on the HBR Blog Network on the psychology of passwords. This isn’t like the previous posts you have seen on this blog. While I tend to focus on the technical problems and ways around them, Keller explores the behavioral aspects of passwords and our general resistance to do what we all know is right. She highlights four attitudes that people have when it comes to passwords: People who don’t know they should change their passwords—most likely by intentionally ignoring information that indicates they should. People who know they should change it, but avoid doing it because they think password theft and misuse will happen to someone else. People who ...

Locking your Door is a Bad Analogy for PCI DSS Compliance and InfoSec standard

Storytelling is a pastime that spans all of human existance. Famous stories like cultural parables or classics like Romeo & Juliet attempt to tackle complex or conflicting ideas and relate them to someone. We use it to pass information from place to place, to captivate audiences when delivering unexpected information (See TED talks), and to explain to a lay person why they should take some action. Pick a security standard or compliance initiative, and you will find hundreds of analogies that attempt to reduce their complexity to a tagline or short list of tasks. One in particular that is quite popular in the PCI DSS and information security space is comparing compliance with locking your front door. Of course you ...